An Illinois federal court issued a milestone decision on Oct. 19 holding that an employment practices liability (EPL) policy covered two underlying Biometric Information Privacy Act (BIPA) claims. The decision confirms that EPL policies require insurers to provide a defense against BIPA claims and stands as the second major win for policyholders facing biometric-data claims this year.
In Twin City Fire Ins. Co. v. Vonachen Servs. Inc., the policyholder faced two underlying lawsuits alleging BIPA violations. The employees alleged the policyholder violated BIPA by using a time-tracking system that required them to clock into and out of their shifts using their fingerprints.
BIPA requires companies to obtain individuals’ informed consent before recording or disclosing their biometric data, including fingerprints, retina and iris scans, voiceprints, and scans of hand or face geometry. The employees alleged that an employee handbook required them to use the timekeeping system and the policyholder collected and disclosed their fingerprints without their knowledge or permission.
After the policyholder provided notice, its insurer denied coverage and filed a lawsuit seeking declarations that its EPL policy did not require the insurer to defend the policyholder against the BIPA claims.
The EPL Policy Coverage
The EPL policy required the insurer to pay for losses resulting from any claim for an employment practices wrongful act, defined to include the breach of any employment contract, including any obligation arising from an employee handbook.
The definition also covered any employment-related invasion of privacy, including the failure to notify any employee of any actual or potential access to, or use of any employee’s private information, if such notice was required by state or federal regulation or statute.
The policy also contained an exclusion stating that the insurer would not have to pay for any losses based upon the breach of any employment contract, but the exclusion had an exception stating that it would not apply to liability that would have been incurred in the absence of such a contract, or defense costs incurred to defend against such liability.
Finally, the policy also imposed a duty to defend, meaning the insurer had an obligation to defend the policyholder against any potentially covered lawsuits.
The Court’s Ruling
The court held that the insurer had a duty to defend because the employees alleged that the policyholder had engaged in employment practices wrongful acts, or breaches of their employment contracts.
The court noted that the employee handbook required the employees to clock into and out of their shifts using the fingerprint-scanning system. Because the EPL policy potentially covered the employees’ underlying BIPA claims, the insurer had a duty to defend the policyholder.
The court also rejected the insurer’s argument that the breach-of-contract exclusion barred coverage for the employees’ BIPA claims, holding instead that the exception to the exclusion applied because the policyholder could have been liable for the alleged BIPA violations even absent the employment contract and the exception also allowed for defense costs associated with a breach of contract.
Vonachen thus confirms that EPL policies require insurers to defend policyholders against BIPA claims brought by employees. The decision also marks the second major coverage win in 2021 for policyholders facing BIPA claims.
Two Decisions Confirm Duty to Defend Policyholders
Earlier this year, the Illinois Supreme Court similarly held in the Krishna Schaumburg decision that a commercial general liability (CGL) policy required the insurer to provide a defense against an underlying BIPA claim brought by a customer who alleged that a tanning salon improperly collected and disclosed her fingerprint data.
Both decisions have ripple effects throughout the insurance world because many other companies have EPL and CGL policies with similar or identical language. These rulings also matter because state and municipal governments continue to pass new laws (similar to BIPA) that protect individuals from the unauthorized collection and disclosure of their biometric data.
Taken together, these key decisions confirm that CGL and EPL policies require insurers to defend their policyholders against BIPA and other biometric-data claims, despite the insurers’ arguments to the contrary.
When policyholders request a defense, insurers often claim that they did not “intend” for their policies to cover BIPA or other biometric-data claims or some other type of policy should apply (namely, not theirs). But the insurers’ “intent” doesn’t matter—the only things that matter are the words on the page.
Policyholders should also beware of insurers slipping exclusions into their policies that can remove or limit coverage. In Vonachen, the insurer added a breach-of-contract exclusion—even though the policy specifically covered claims alleging breaches of contract.
The exclusion didn’t say that it deleted the policy’s specific coverage for breaches of contract, but the court read the coverage provision and exclusion together as requiring the insurer to cover defense costs for a breach-of-contract claim, but not a resulting judgment or settlement. In this way, the insurer managed to include language that limited its coverage obligations, despite clearly agreeing to cover breach-of-contract actions.
Policyholders should watch out for exclusions that contradict the specific coverages provided by the coverage agreements, as insurers may try to use them later to avoid paying for otherwise covered claims.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Tae Andrews is a policyholder attorney at Miller Friel PLLC.