Lessons From Insurers' Latest BIPA Coverage Arguments

Portfolio Media. Inc. | 111 West 19th Street, 5th Floor | New York, NY 10011 | www.law360.com
Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | customerservice@law360.com

Lessons From Insurers' Latest BIPA Coverage Arguments
By Caroline Meneau and Michael Linden (January 29, 2021, 4:52 PM EST)

Litigation under Illinois' Biometric Information Privacy Act, which regulates the
collection, use and storage of biometric data,[1] continues to present important
questions for businesses, including as it relates to insurance coverage.

Though several states have enacted laws aimed at regulating an individual's
biometrics, BIPA was the first law of its kind. Unlike the laws in these other states,
BIPA provides a private right of action for any person aggrieved by a BIPA violation.
Aggrieved persons may recover $1,000 per violation where an entity negligently
violates BIPA and $5,000 per violation in the case of intentional or reckless
violations.                                                                                Caroline Meneau

Courts have resolved certain threshold issues under BIPA. Most notably, in
Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court held that
when a private entity violates the notice and release requirements of BIPA, any
person whose biometric information is subject to that violation is an aggrieved
person within the meaning of the act.[2]

In other words, an individual can seek statutory damages for the real and significant
injury caused by such a violation of BIPA even without showing any tangible,
personalized harm.                                                                          Michael Linden

Unsurprisingly, the Supreme Court's decision in Rosenbach has unleashed a torrent of BIPA putative
class action litigations. Many of the defendants in these litigations have turned to their insurers for
defense, prompting coverage disputes.

The first Illinois appellate court to review a BIPA-related coverage dispute affirmed a policyholder
victory, holding that the underlying BIPA complaint alleged a personal injury within the scope of the
business owner's liability policy at issue and that the policy's exclusion for violations of statutes did not
apply.[3]

In that case, West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan Inc., the Appellate Court of
Illinois, First District, considered whether allegations that a tanning salon shared customer fingerprint
data with a third-party vendor could constitute a personal injury under the tanning salon's insurance
policy.

The policy covered injuries "arising out of oral or written publication of material that violates a person's
right of privacy." The insurer, relying on Valley Forge Insurance Co. v. Swiderski Electronics Inc.,[4]
argued that publication requires a communication to the public at large, rather than to just one outside
vendor.

The court rejected that argument, holding that the plain meaning of publication "include[s] both the
broad sharing of information to multiple recipients that the court viewed [as] a 'publication' in Valley
Forge and a more limited sharing of information with a single third party."

The West Bend court also rejected the insurer's reliance on the so-called violation of statutes exclusion,
which excludes coverage for injuries "arising directly or indirectly out of any action or omission that
violates or is alleged to violate" the Telephone Consumer Protection Act, the Controlling the Assault of
Non-Solicited Pornography and Marketing Act or "any statute, ordinance or regulation that prohibits or
limits the sending, transmitting, communication or distribution of material or information."

Looking to the title of the exclusion — "violation of statutes that govern emails, fax, phone calls or other
methods of sending material or information" — the court reasoned that the exclusion only applied to
statutes governing certain methods of communications, rather than statutes like BIPA that limit whether
a company can collect or use information in the first place.

Despite the pro-policyholder decision from the West Bend court, insurers have continued to deny claims
related to defense of BIPA actions. Insurers, in the coverage litigation arising from those denials, have
sought to retread old ground, but have also come up with a bevy of new arguments. While many of
those cases appear to have settled before resolution,[5] one pending case in the U.S. District Court for
the Northern District of Illinois raises interesting issues for policyholders.

In that case, American Family Mutual Insurance Co. SI v. Schmitt South Eola LLC, the insurer recently
moved for summary judgment on its complaint seeking a declaratory judgment that it had no duty to
defend a McDonald's franchisee.[6] The franchisee tendered its defense to American Family after it was
sued by an employee who alleged the franchisee required employees to punch in and out of work using
a fingerprint or handprint scan in violation of BIPA.

In its motion, American Family makes two main arguments.

First, it claims that the franchisee does not satisfy the basic requirement for coverage: demonstrating a
personal and advertising injury, defined as an "oral or written publication, in any matter, of material that
violates a person's right of privacy." In so arguing, American Family insists that, in light of the Illinois
Supreme Court's decision in Valley Forge, West Bend is wrongly decided.

In the alternative, and more creatively, American Family attempts to distinguish West Bend. Whereas in
West Bend, the plaintiff in the underlying BIPA action alleged that the tanning salon shared her
fingerprints with a third-party vendor, American Family claims that there are not similar allegations
against the McDonald's franchisee.

In other words, according to American Family, even under the more expansive definition of
"publication" in West Bend, the franchisee does not qualify for coverage.

Second, American Family relies on a three separate exclusions: (1) the employment-related practices

exclusion; (2) the violation of statutes exclusion; and (3) the access or disclosure exclusion. It is a
bedrock principle of insurance law that "[i]t is the insurer's burden to show a claim falls within a
provision of the policy that excludes coverage, and an exclusion relied upon to deny coverage must be
free and clear from doubt."[7]

While the violation of statutes argument asks a federal district court to ignore the Illinois appellate
court's interpretation of Illinois law in West Bend, there are no reported decision adjudicating the other
two exclusions in the BIPA context.

The franchisee's liability policy excluded injury arising out of employment-related practices, policies, act
or omissions. According to American Family, the underlying BIPA allegations — which center on the
employer's time clock system — unmistakably arise out of the franchisee's employment-related
practices and policies.

A close reading of the policy calls into question American Family's logic. The full exclusion is addressed
toward injuries to a person arising out of the employer's:

    •   Refusal to employ that person;

    •   Termination of that person's employment; or

    •   Employment-related practices, policies, acts or omissions, such as coercion, demotion,
        evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination
        directed at that person.

Read in its full context, the employment-related practices exclusion American Family cites appears
targeted at decisions around hiring, firing and employee evaluation.

Indeed, the cases American Family cites demonstrate as much.[8] In the case of the franchisee, it may be
a stretch for the insurer to argue that a time clock policy, unrelated to hiring or firing, could qualify as an
employment-related practice in this context, particularly given the insurer's burden to prove an
exclusion applies.

Finally, American Family cites an "access or disclosure of confidential or personal information and data-
reliability" exclusion.

The full policy language excludes injuries "[a]rising out of any access to or disclosure of any person or
organization's confidential or personal information, including patents, trade secrets, processing
methods, customer lists, financial information, credit card information, health information or any other
type of nonpublic information."

Even if biometric information like fingerprints could, in this circumstance, reasonably be characterized as
nonpublic information, policyholders can respond that the exclusion's language appears targeted at a
lawsuit arising out of a data breach — for example, a hacking incident that reveals trade secrets or credit
card information.

Contrast that with a clock-in process in which the employee knowingly participates, and in which there is
no allegation anyone other than the employer or vendor obtained access to the time clock data.

The context of the "access or disclosure of confidential or personal information and data-reliability"
exclusion, interpreted narrowly as required by Illinois law, indicates that it may not clearly cover
biometric information provided by an employee, even if the collection and use of that information
allegedly violates BIPA.

While insurers and policyholders will doubtless be paying close attention to the policyholder's
opposition to — and ultimately, the court's resolution of — American Family's summary judgment
motion, there are already lessons to learn from the litigation.

At the outset, it is clear that insurers are not conceding that coverage exists even in light of the court's
decision in West Bend. Policyholders should continue to thoughtfully review policy language and seek
out the most expansive available coverage, particularly if they utilize biometric information in the course
of their business.

Insureds should consider whether they have or can obtain coverage available within a range of available
insurance products, including employment practices liability, cyber liability, general liability, directors
and officers, technology errors and omissions, and media liability insurance policies.

Next, policyholders facing BIPA litigation should carefully evaluate whether the underlying lawsuit
alleges disclosure of biometric information to a third party — in other words, whether the suit alleges
publication. Under West Bend, the clearer the disclosure, the better argument the policyholder has that
the basic requirements for coverage are met.

Finally, as always, policyholders should closely analyze any exclusions that might apply to BIPA liability
— for example, the employment practices and data reliability exclusions cited by American Family.

While it is the insurer's burden to show an exclusion bars coverage — and so far, courts have not
accepted insurers' arguments to exclude BIPA liability — insurers will undoubtedly continue to focus on
exclusions as a basis for denying coverage, particularly in light of West Bend's conclusion that BIPA
actions can satisfy the threshold requirement of a personal injury.

Caroline Meneau is a partner and Michael Linden is an associate at Jenner & Block LLP.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its
clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general
information purposes and is not intended to be and should not be taken as legal advice.

[1] 740 ILCS 14/1 et seq.

[2] 129 N.E.3d 1197, 1206 (Ill. 2019).

[3] W. Bend. Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834, at *P24 (Mar. 20,
2020).

[4] 223 Ill. 2d 352, 367 (2006).

[5] See, e.g., Am. Fam. Mut. Ins. Co., S.I. v. McEssy Inv. Co., No. 1:20-cv-05591 Dkt. 7 (N.D. Ill. Oct. 15,
2020); Am. Guar. & Liab. Ins. Co. v. Toms King, LLC, No. 2020-CH-04472 (Cir. Ct. Cook Cnty. Aug 25,

2020); Church Mut. Ins. Co. v. Triad Senior Living, Inc., No. 1:19-cv-07599 Dkt. 18 (N.D. Ill. Feb. 6, 2020).

[6] Am. Fam. Mut. Ins. Co., S.I. v. Schmitt South Eola, LLC, No. 1:20-cv-01872 Dkt. 47-1 (N.D. Ill. Dec. 30,
2020).

[7] W. Bend. Mut. Ins. Co. v. Rosemont Exposition Servs., 378 Ill. App. 3d 478, 486 (1st Dist. 2007).

[8] See, e.g., id. (applying exclusion because the defamatory statement in the action for which the
employer sought insurance coverage "was perpetrated to provide the grounds" to fire the employee).