The US Court of Appeals for the Seventh Circuit became the first appellate court to pinpoint insurance policy language that’s too vague to exclude coverage for a policyholder that allegedly violated an influential Illinois law on biometric privacy.
Carriers will likely use the ruling as a guide in writing their standard business liability policies to explicitly carve out data privacy offenses, industry attorneys said. The ruling will also bolster policyholders seeking insurance protection amid an uptick in lawsuits claiming businesses used people’s face and retina scans and fingerprints without their consent, they said.
“Basically we’ve set a precedent that there is coverage under the general liability policies,” said Daniel Healy, a partner at Brown Rudnick LLP who works with businesses seeking coverage.
The Seventh Circuit ruling now obligates a Hanover unit to pay an Illinois IT vendor’s legal bills in two proposed class actions. The plaintiffs alleged the IT vendor violated the state’s Biometric Information Privacy Act (BIPA) by unlawfully helping the Chicago Police Department gain access to Clearview AI’s controversial facial-recognition database.
The Hanover decision “is a first-of-its-kind ruling with a strong signal about the specificity courts expect insurers to have if they want to exclude coverage for BIPA,” said Peter Halprin, a partner at Pasich LLP who represents policyholders.
BIPA, while limited to Illnois, is considered significant among privacy advocates because it’s the only state law nationwide that allows consumers and workers to sue over biometric violations. New York, California, and other states are developing their own biometric data rules.
The Seventh Circuit decision will be a “very persuasive authority to policyholders in other jurisdictions,” said Seth Lamden, an insurance recovery partner at Blank Rome LLP.
Privacy Specificity
Hanover has argued that a catch-all “violation-of-statutes” clause—one that’s commonly found in business liability policies—relieves the insurer of its duty to defend policyholders accused of biometric privacy violations.
But the Seventh Circuit said the exclusion is so ambiguous and broad that it could cancel coverage for intellectual property, slander, and libel-related suits that the policy purports to include.
“No mention, and indeed no hint, of ‘privacy’ appears anywhere in this language,” the appeals court said.
Even if the insurer had used the word “privacy” in the the violation-of-statutes exclusion, it’s unclear which privacy laws would be carved out, the court said. Some statutes are intended to shield individuals from receiving phone calls without consent, while others such as BIPA protect “the confidentiality of one’s personal information,” the Seventh Circuit said.
“The court is saying you have a particular kind of privacy here. And even under BIPA, there may be different variations of it, because it does have different levels of protection,” said Healy.
Businesses’ general liability policies are drafted entirely by the insurers without input from their policyholders. “That is the exact reason why the court requires these to be clear,“ said Halprin.
“When you hold the pen, there’s the power that comes with that,” he added.
Growing Exposure
Insurers have started to add BIPA exclusions to general liability policies. But the practice is hardly universal, according to attorneys who represent carriers.
Proposed class actions alleging violations of biometric data privacy laws pose serious risks to any insurers that haven’t updated their policies. Those insurers could be on the hook for their business policyholders’ legal defense costs.
General liability insurance “isn’t meant to cover a business dedicated to the scraping of billions of photos from the internet and creating a database that can provide one’s personal identifiable information merely from a photo,” said Robert Tomilson, an attorney at Clark Hill PLC who advises insurers.
Companies “shouldn’t be permitted to simply buy a business owner’s policy and thereby outsource the liability to an insurance carrier, ” he said.
Some cyber insurers have already been adding coverage caps and charging higher prices for biometric privacy violation claims this year, said Tresa Stephens, Allianz SE’s North America cyber head.
“We’ve started seeing some of the competitors try to put sub-limits around that exposure or to exclude it outright for any violations of BIPA or some of the other regulations,” she said.
Other insurers with general liability policies remain exposed, including those with the kind of exclusion at the center of the Hanover ruling.
The Seventh Circuit decision will “push along a full-scale revision of the violation-of-statute excisions to expressly exclude BIPA” and other states’ pending data privacy measures, said Michael S. Savett, a partner at Butler Weihmuller Katz Craig LLP who represents insurers.
“Unless you see clear exclusions, you’re going to continue to have coverage litigation on BIPA claims,” Pasich’s Halprin said.
The insurance battle is far from over despite a recent slate of policyholder-friendly BIPA decisions.
Illinois trial courts remain split on whether insurers can use other policy restrictions to deny BIPA claims, including carve-outs for employment-related actions and the disclsoure of private information, said Jonathan L. Schwartz, a partner at Freeman Mathis & Gary LLP who represents insurers.
The Illiniois high court and the Seventh Circuit haven’t addressed those exclusions yet, he said.
“There’s still plenty of rays of hope for insurers,” Schwartz said.
The case is Citizens vs Wynndalco, 7th Cir., No. 22-2313, 6/15/23.
To contact the reporter on this story:
To contact the editor responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.