Litigation under the Illinois Biometric Information Privacy Act (BIPA)— which regulates the collection, use, and storage of biometric data and provides a private right of action to any individual aggrieved by a violation—continues at a torrid pace, raising several questions about insurance coverage.
From 2008 to 2018, there were 163 BIPA class action lawsuits filed. In 2019, well over 300 BIPA class action lawsuits were filed—more than double the previous 10 years combined. In addition, in 2020, there were at least 54 court rulings referencing BIPA, which is more than double the count from 2019, according to law firm research.
In West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan Inc., the Illinois Supreme Court held that an insurer must defend a tanning salon against a customer’s BIPA claims, because the proposed class action alleged a privacy violation that was potentially covered under the salon’s general liability policy. This ruling has a number of important implications.
In Krishna, the court held that allegations that the salon shared customer fingerprint data with a third-party vendor constituted a “personal injury,” i.e., “oral or written publication of material that violates a person’s right of privacy,” that triggered a defense obligation under the insuring agreement.
“Publication” was undefined in the policy. After consulting dictionaries and other legal authorities on insurance and privacy law, the court found the term means communication both to a single party and to the public at large, and construed it against the insurer.
As to a person’s “right of privacy,” the court recognized it includes two primary interests, “seclusion and secrecy.” Importantly, the Illinois Supreme Court held that BIPA protects a secrecy privacy interest: keeping personal biometric information secret.
The court also rejected the insurer’s reliance on its “Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information Exclusion,” which excluded coverage for injuries arising out of any statute that “prohibits or limits the sending, transmitting, communication or distribution of material or information.”
The court held this exclusion only applied to statutes governing certain methods of communication (such as faxes and emails as in the Telephone Consumer Protection Act and the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM Act)), rather than those regulating the collection, use, safeguarding, handling and retention of an individual’s biometric information (as in BIPA).
Litigation under BIPA is exploding. An increasing number of defendants are seeking coverage for these lawsuits. An increasing number of plaintiffs are evaluating the possibility of settling these claims, particularly where the defendant is a small business. The potential availability of insurance coverage may impact the case valuation from both perspectives.
Given this decision, from a coverage perspective, general liability insurers should evaluate carefully whether the underlying lawsuit alleges disclosure of information to any single third party to evaluate whether a “publication” is alleged under the policy.
Also, after this decision, the narrower “Violation of Statutes that Govern E-Mails, Fax Phone Calls or Other Methods of Sending Material or Information” exclusion does not provide an avenue to preclude coverage. That said, the Krishna decision may have limited impact on general liability insurers because other commonly used exclusions appear to more broadly exclude coverage for statutory privacy claims like those under BIPA.
First, many policies contain a “Recording and Distribution of Material or Information in Violation of Law” exclusion, which precludes coverage for claims arising out of a statute “that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communication or distribution of information.” This exclusion contains broader language that was not at issue in Krishna.
Second, other common exclusions are those that address statutory right of privacy claims and/or relate to the disclosure of confidential or personal information. Krishna’s holding that BIPA is a privacy statute actually may support their application.
Third, many policies also include an “Employment-Related Practices” exclusion—or related employment exclusions—that may preclude coverage if the BIPA claim is brought by an insured’s employee.
While none of these exclusions was addressed by Krishna, further coverage actions in Illinois are set to address these issues that may provide additional guidance and may affect case evaluations by claimants, insureds, and insurers. Therefore, when evaluating coverage for these claims, careful attention should be paid to the allegations and express language of the policy and to the exclusions at issue.
An Unanswered Question
Outside of coverage issues, the state supreme court’s ruling also may impact certain defenses to BIPA claims, including the operative statute of limitations. One important unanswered question is whether Krishna’s discussion of BIPA as a privacy statute suggests Illinois courts may apply a one-year limitation for certain privacy claims to BIPA, as opposed to the two-year limitation for “statutory penalty claims” or the five-year “catch-all” limitation.
This issue remains an open question currently on appeal to the Illinois Appellate Court (Tims v. Black Horse Carriers Inc.). Whether those courts look to Krishna remains to be seen.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.