Companies face significant exposure from privacy related claims. An increasing number of these claims result from efforts at the state level to regulate use of personal data. One key focus is Illinois’ Biometric Information Privacy Act (“BIPA”), but as lawmakers in other states continue to introduce legislation aimed at regulating the use of biometric data, more court decisions may muddy the waters regarding what conduct may be covered under a general liability policy.
Coverage disputes involving BIPA exposure are arising with increasing frequency, and courts do not always see eye to eye, as shown by diverging appellate decisions addressing insurance coverage for such claims. For example, the Appellate Court of Illinois First Judicial District recently held that an insurer was not obligated to defend its insured against a class action lawsuit alleging that the insured violated BIPA. National Fire Ins. Co. of Hartford et al. v. Visual Pak Co. et al., Case No. 1-22-1160 (Ill. App. Ct. Dec. 19, 2023). In doing so, the court declined to extend a Seventh Circuit decision issued in July 2023 that reached the opposite conclusion.
Background Facts and Allegations
A class of employees sued their employer, Visual Pak, for alleged BIPA violations stemming from its use of the employees’ biometric data provided by a staffing agency. Each time the staffing agency placed an employee with Visual Pak, the employee was required to enroll in a database using a scan of their fingerprint. The class members alleged that Visual Pak violated BIPA by collecting, storing, using or disseminating class members’ fingerprints without their consent and without informing them how their biometric information would be used.
Visual Pak tendered the claim to its insurers. Two of those general liability insurers denied coverage for the lawsuit, arguing that the policy’s “Recording and Distribution of Material or Information in Violation of Law” exclusion barred coverage for the claim. That exclusion sought to bar coverage for any personal and advertising injury arising from violations of any of the following: (1) the Telephone Consumer Protection Act; (2) the CAN-SPAM Act of 2003; (3) the Fair Credit Reporting Act and its amendments, including the Fair and Accurate Credit Transaction Act; and (4) “Any [other] federal, state or local statute, ordinance or regulation . . . that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” The Insurers argued that BIPA fell within the “catchall” language of category 4, and therefore denied that they had a duty to defend Visual Pak against the BIPA class action.
After the underlying lawsuit settled, the insurers filed a declaratory judgment action seeking a declaration that they did not owe a duty to defend or indemnify Visual Pak for the lawsuit. On a motion for judgment on the pleadings, the trial court ruled that the insurers had no duty to defend Visual Pak.
Illinois Appellate Court’s Ruling
The Appellate Court of Illinois affirmed the trial court’s order, determining that the Violation of Law exclusion applied to Visual Pak’s BIPA claim and therefore barred coverage for the claim. In doing so, the court noted that “it is simply impossible to deny” that the catchall language in category 4 of the exclusion described BIPA, as BIPA “regulates the collection, dissemination, and disposal of one’s biometric identifiers and information.” Consequently, the court held that the insurers had no duty to defend Visual Pak.
The court noted that its decision differed from other precedent, including the Illinois Supreme Court’s West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc. decision, in which the Illinois Supreme Court found that an insurer had a duty to defend its insured against a BIPA lawsuit despite similar exclusionary language in that insurance policy. The court distinguished category 4’s “catchall” language from the exclusionary language in West Bend, noting that the West Bend policy’s scope of coverage was broader because the relevant policy exclusion did not include a limitation for laws or statutes concerning the “disposal, collecting and recording” of information.
The court also discussed the Seventh Circuit’s Citizens Insurance Company of America v. Wynndalco Enterprises LLC decision, which we have previously addressed. In Wynndalco, the Seventh Circuit found that the insurer owed a duty to defend its insured against a BIPA lawsuit where an insurance policy contained nearly identical language to the language in the Violation of Law exclusion because the exclusionary language was too broad and encompassed some statutory causes of action that were explicitly covered by the insurance policy. The court expressly disagreed with the Wynndalco decision, stating that it was not an “accurate reflection of Illinois law,” and noted that the court was not bound by federal court precedent. The court concluded that “[l]iability for a BIPA violation is unambiguously excluded from coverage. We thus respectfully disagree with the Seventh Circuit’s decision in Wynndalco and hold that the [Insurers] owed no duty to defend the underlying BIPA lawsuit.”
The Visual Pak decision creates tension with the Illinois Supreme Court’s West Bend decision and explicitly rejected the Seventh Circuit’s Wynndalco decision. These conflicting decisions show that different courts often reach different conclusions regarding nearly identical policy language. While the West Bend and Wynndalco courts enforced an insurers’ duty to defend its insured against BIPA claims under Illinois law, the Visual Pak court analyzed nearly identical policy language held that the insurer had no duty to defend its insured against BIPA claims.
As biometric privacy law continues to develop, insureds and insurers should monitor conflicting precedent to evaluate how courts reconcile the differing opinions. Biometric privacy laws apply to all companies, not just those that operate in the traditional technology or security sectors. Insureds need to carefully analyze potential coverage when purchasing and renewing their policies and consider how courts may interpret specific language contained in their insurance policies.
These considerations are not only limited to Illinois. While Illinois is currently the only state that provides a private right of action for injured individuals, Texas and Washington have both passed laws that regulate how a company may use biometric data. Similarly, the European Union’s General Data Protection Regulation (“GDPR”) restricts how companies may collect and use biometric data. Following Illinois’ lead, lawmakers in at least 12 other states proposed legislation regulating the use of biometric information in 2023 alone. Other states may pass similar laws in the near future and will likely look to existing Illinois state and federal court precedent to determine whether those states’ new laws fall within “catchall” provisions contained in insurance policies.