Companies face significant exposure from privacy-related claims. A growing number of these claims result from state-level efforts to regulate the use of personal data. One major focus area is the Illinois Biometric Information Privacy Act (“BIPA”), but as lawmakers in other states continue to introduce legislation aimed at regulating the use of biometric data, more court decisions may muddy the waters regarding what conduct might be covered by the law. Privacy of biometric information. General liability policy.
Coverage disputes involving BIPA exposure are arising with increasing frequency, and courts do not always agree with each other, as evidenced by disparate appellate decisions addressing insurance coverage of such claims. For example, the Illinois First Judicial District Court of Appeal recently ruled that an insurer has no obligation to defend an insured against a class action alleging that the insured violated BIPA. National Firefighting. Hartford Company et al. v. Visual Pack Inc. et al., Case No. 1-22-1160 (Ill. Ct. App. Dec. 19, 2023). Thus, the court declined to extend the Seventh Circuit’s July 2023 decision, which reached the opposite conclusion.
Key facts and claims
A class of employees has filed a lawsuit against their employer, Visual Pak, for alleged BIPA violations stemming from its use of employee biometric data provided by the staffing agency. Every time a recruitment agency hired an employee into Visual Pak, the employee was required to register in a database using their fingerprint scan. The class members alleged that Visual Pak violated BIPA by collecting, storing, using, or disseminating class members’ fingerprints without their consent and without informing them of how their biometric information would be used.
Visual Pak submitted the claim to its insurance companies. Two general liability insurers declined to cover the claim, arguing that the policy’s “recording and distributing material or information in violation of law” exclusion prevented coverage of the claim. This exclusion sought to bar coverage for any personal or advertising injury arising from violations of any of the following: (1) the Telephone Consumer Protection Act; (2) CAN-SPAM Act of 2003; (3) the Fair Credit Reporting Act as amended, including the Fair and Accurate Credit Transactions Act; and (4) “any federal, state, or local (other) law, ordinance, or regulation… that addresses, prohibits, or limits the printing, publication, disposal, collection, recording, transmission, transmission, communication, or distribution of materials or information. The insurers argued that BIPA fell within the “catch-all” language of Class 4 and therefore denied that they had a duty to defend Visual Pak against BIPA’s class action lawsuit.
After the underlying lawsuit was settled, the insurers filed a declaratory judgment action seeking a declaration that they did not owe a duty to defend or indemnify Visual Pak from the lawsuit. On a motion for judgment on the pleadings, the trial court ruled that the insurers had no duty to defend Visual Pak.
Illinois Court of Appeals ruling
The Illinois Court of Appeals affirmed the lower court’s order, holding that the violation exclusion applied to Visual Pak’s BIPA claim and thus barred coverage for the claim. In doing so, the court noted that it was “simply impossible to deny” that the blanket language in Category 4 of the exception described BIPA, as BIPA “regulates the collection, dissemination, and disposal of identifiers and biometric information about an individual.” Therefore, the court held that the insurers had no duty to defend Visual Pack.
The court noted that its decision differed from other precedents, including the Illinois Supreme Court’s decision West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc. The decision, in which the Illinois Supreme Court found that an insurer had a duty to defend an insured against a BIPA lawsuit despite similar exclusionary language in that insurance policy. The Court distinguished between the “inclusive” language of Category 4 and the exclusionary language in West Bendnoting that West Bend The scope of the policy’s coverage was broader because the relevant policy exclusion did not include restrictions on laws or legislation relating to the “disposal, collection and recording of information”.
The court also discussed the Seventh Circuit case American Citizens Insurance Company v. Wyndalco Enterprises LLC The decision we have already discussed. in Wendalko, the Seventh Circuit concluded that an insurer was obligated to defend an insured against a BIPA lawsuit where the insurance policy contained language nearly identical to the language used to exclude a violation of the statute because the exclusion language was too broad and included certain legal causes of action expressly covered by the insurance policy. The court expressly disagreed Wendalko The decision, noting that it was not an “accurate reflection of Illinois law,” noted that the court was not bound by federal court precedent. The court concluded that “(l)o liability for violation of BIPA is unambiguously excluded from coverage. We therefore respectfully disagree with the Seventh Circuit’s decision in Wendalko We hold that (insurers) are not obligated to defend the underlying BIPA lawsuit.
Main sockets
the Visual pack The decision creates tension with the Illinois Supreme Court West Bend The decision expressly rejected the decision of the Seventh Circuit Wendalko resolution. These conflicting decisions show that different courts often reach different conclusions regarding nearly identical policy language. While the West Bend And Wendalko Courts have imposed a duty on insurers to defend the insured against BIPA claims under Illinois law, Visual pack The court analyzed nearly identical policy language, holding that the insurer had no duty to defend the insured against BIPA claims.
As biometric privacy law continues to develop, insurers and insurers should monitor conflicting precedents to evaluate how courts reconcile differing opinions. Biometric privacy laws apply to all companies, not just those in traditional technology or security sectors. Insureds need to carefully analyze potential coverage when purchasing and renewing their insurance policies and consider how courts will interpret certain language contained in their insurance policies.
These considerations are not limited to Illinois only. While Illinois is currently the only state that provides a private right of action for affected individuals, both Texas and Washington have passed laws regulating how a company can use biometric data. Likewise, the European Union’s General Data Protection Regulation (“GDPR”) restricts how companies collect and use biometric data. Following Illinois’ lead, lawmakers in at least 12 other states have proposed legislation regulating the use of biometric information in 2023 alone. Other states may pass similar laws in the near future, and will likely look to existing federal court case law in Illinois to determine whether those states’ new laws fall within the “catch-all” provisions in insurance policies.