9 minute read
Coverage, What Coverage?
A Federal District Court holds that although insurers keep trying, they cannot invoke unrelated, general exclusions to avoid coverage obligations for claims asserted under the Illinois Biometric Information Privacy Act.
BY JEFFREY BERMAN
“When I use a word,” Humpty Dumpty said, in rather a scornful tone, “it means just what I choose it to mean —neither more nor less.” “The question is,” said Alice, “whether you can make words mean so many different things.” — Lewis Carroll, Through the Looking Glass (1872).
Yes, of course you can, Alice. Or, once again, we see that you can at least try to do so when you practice in the area of insurance coverage litigation.1
1 Humpty Dumpty’s aphorism has been quoted by courts in numerous decisions, including by the United States Supreme Court, and many of those courts have done so in the context of insurance coverage disputes. See, e.g., Tennessee Valley Auth. v. Hill, 437 U.S. 153 (1978); Zschernig v. Miller, 389 U.S. 429 (1968); Larson v. R.W. Borrowdale Co., 53 Ill. App.2d 104, 113 (1st Dist. 1964); see also, e.g., Taylor Morrison Services, Inc. v. HDI-Gerling America Ins. Co., 293 Ga. 456, 460, n.7 (Ga. 2013); County of Sacramento v. Scottsdale Ins. Co., 2003 WL 21246688, *14, n.86 (Cal. App. May 30, 2003); Garden State Indem. Co. v. Miller & Pincus, 773 A.2d 1204, 1208 (N.J. Super. 2001); Blue Cross Blue Shield of Mass., Inc. v. BCS Ins. Co., 671 F.3d 635, In a recent decision, United States District Judge John Z. Lee rejected an effort by American Family Mutual Insurance Company (“American Family”) to open a new avenue to escape its contractual obligation to provide coverage to its insured for an underlying lawsuit allegJeffrey Berman of the law firm ing claims under BIPA. The Court held instead that unrelated policy exclusions of Anderson for employment practices and for cer+ Wanca has tain statutory violations are ineffective extensive experience in to exclude coverage for a claim that an commercial litigation, class 637 (7th Cir. 2011); Continental Westactions and ern Ins. Co. v. Pimentel & Sons Guitar insurance cov- Makers, Inc., 2006 WL 6335399, *3 erage litigation (D. N.M. June 16, 2006); Zapata Herin state and manos Sucesores, S.A. v. Hearthside federal courts across the country. Baking Co., Inc., 2001 WL 1000927, * He is Co-Editor of the Docket and 3, n.3 (N.D. Ill. Aug. 29, 2001); Agroincurrently serves as the Secretary of dustria Nacional, S.A. v. Henry Broch & the LCBA Board of Trustees. Co., 976 F.Supp. 758, 760, n.3 (N.D. Ill. 1997).
insured violated BIPA while handling fingerprints taken from employees for timekeeping purposes.2
WHAT IS BIPA?
The Illinois legislature unanimously passed the Biometric Information Privacy Act, (“BIPA”) in 2008.3 BIPA imposes numerous restrictions on how private entities collect, retain, disclose, and destroy biometric identifiers. BIPA is intended to ensure that individuals are in control of their own biometric data and, among other things, prohibit private companies from collecting said data unless they: • Inform the person in writing of what data is being collected or stored. (e.g., fingerprint is stored when using TouchID to log into bank account app on phone). • Inform the person in writing of the specific purpose and length of time for which the data will be collected, stored, and used. (e.g., fingerprint is stored for ease of logging into app and only for a duration of six months). • Obtain the person’s written consent. (e.g., user signs their name before sharing their fingerprint).4
Biometric information includes retina or iris scans, fingerprints, voiceprints, hand scans, facial geometry, DNA, and other unique biological information.5
BIPA also establishes standards for how companies must handle consumers’ biometric information. In addition to its notice and consent requirement, the law prohibits any company from selling or otherwise profiting from consumers’ biometric information.6 It also imposes strict restrictions on disclosure of collected data.7 BIPA provides a private right of action and carries with it the potential for actual damages or statutory liquidated damages of $1,000 for each negligent violation, $5,000 for each reckless or intentional violation, attorney fees and costs, and injunctive relief.8
2 American Family Mut. Ins. Co. v. Carnagio Enterprises, Inc., 2022 WL 952533. 3 740 ILCS 14/1, et seq. 4 740 ILCS 14/15(b). 5 740 ILCS 14/5. 6 740 ILCS 14/15(c). 7 740 ILCS 14/15(d). 8 740 ILCS 14/20; see Rosenbach v. Six Flags Entm’t Corp., 2019
Therein, as some would say, lies the rub. A veritable tsunami of BIPA class action complaints has ensued in recent years. And, where there are liability claims, insurance coverage litigation wherein insurance companies seek to avoid their contractual coverage obligations is sure to follow. And it has.
A veritable tsunami of THE ILLINOIS SUPREME COURT
Biometric Information ALREADY HELD THAT COVERAGE GENERALLY
EXISTS FOR BIPA
Privacy Act class action CLAIMS. In a 2021 decision titled complaints has ensued West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, in recent years. And, Inc., the Illinois Supreme Court addressed the availabilwhere there are liability ity of coverage generally and held that coverage exists for BIPA claims under a general claims, insurance coverage liability insurance policy.9 Although the insurance policy litigation wherein language may have varied, virtually all coverage denials insurance companies seek prior to that decision rested primarily on two arguments: to avoid their contractual (1) BIPA claims are not a covered “personal injury” where there is no “publication” viocoverage obligations is lating a right of privacy; and (2) BIPA is a statutory scheme sure to follow. And it has. that falls under a violation of statutes catchall exclusion. For the second argument, West Bend sought to invoke subpart (3) of an exclusion entitled “Distribution Of Materials In Violation Of Statutes,” which precluded liability for the following: “Bodily injury”, “property damage”, “personal injury” or “advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate: (1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law; or (2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law; or (3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information. IL 123186. 9 West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 IL 125978 (May 20, 2021).
The Supreme Court in West Bend rejected both of those arguments. It found BIPA claims implicate a right of privacy for personal injury coverage. It also held that the pertinent language of the exclusion is ambiguous and thus did not serve to bar coverage of the underlying BIPA suit.10
THE RECENT AMERICAN FAMILY DECISION GOES BEYOND WEST BEND.
Carnagio Enterprises, Inc. (“Carnagio”), is a McDonald’s franchisee that was insured by both American Family Mutual Insurance Company, S.I. (“American Family”) and Austin Mutual Insurance Company (“Austin Mutual”) (collectively “Insurers”).11 Each of the relevant policies promised coverage for “the sums that the insured becomes legally obligated to pay as damages because of ‘bodily injury’, ‘property damage’ or ‘personal and advertising injury’ to which this insurance applies.”12 The policies defined “personal and advertising injury” as including, among others, “Oral or written publication, in any manner, of material that violates a person’s right of privacy.”13 The policies also contained identical exclusions, entitled “Employment-Related Practices” (“ERP exclusion”) and “Distribution Of Material In Violation Of Statutes” (“Statutory Violation exclusion”).14 The Statutory Violation exclusion was the same standard form, as was addressed in West Bend.15 The ERP exclusion stated, in relevant part:
This insurance does not apply to: a. “Bodily injury” or “personal and advertising injury” to: i. A person arising out of any: 1. Refusal to employ that person; 2. Termination of that person’s employment; or 3. Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed at that person.... b. This exclusion applies: i. Whether the insured may be liable as an employer or in any other capacity; and ii. To any obligation to share damages with or repay someone else who must pay damages because of the injury.16
10 See also, e.g., Citizens Ins. Co. of America v. Wynndalco Enterprises LLC, 2022 WL 952534 (N.D. Ill. Mar. 30, 2022) (applying
West Bend and rejecting a similar effort by another insurance company to escape its coverage obligations by asserting the catchall subpart of the Violation Of Statutes exclusion). 11 2022 WL 952533, at *1. 12 Id. 13 Id. at *2. 14 Id. 15 Id. 16 Id.
In addition, the Austin Mutual policy contained an additional exclusion for “Access or Disclosure of Confidential or Personal Information.” This exclusion applied to personal information and data-related liability “arising out of any access to or disclosure of any person’s … confidential or personal information, including patents, trade secrets [etc.] … or any other type of nonpublic information.”17
In early 2019, Angela Karikari (“Karikari”) filed a class action lawsuit against Carnagio, asserting claims based on violations of BIPA (the “Karikari Action”).18 Karikari alleged she worked at a McDonald’s restaurant operated by Carnagio, where Carnagio required her to clock in and out of each shift using a fingerprint scanner.19 Despite its use of fingerprints for timekeeping and identification, Karikari claimed Carnagio never informed “its employees of the complete purposes for which it collects their sensitive biometric data or to whom the data is disclosed if at all,” never gave its employees “a written, publicly available policy identifying its retention schedule and guidelines for permanently destroying its employees’ fingerprints,” and never had her sign a release allowing Carnagio to collect her fingerprints.20
Carnagio tendered the Karikari Action to the Insurers seeking coverage and, particularly, a defense. The Insurers then filed a declaratory action seeking a determination of their obligations to defend and indemnify Carnagio for the Karikari Action.21
All parties agreed that a lawsuit arising under BIPA constituted a claim asserting “personal injury” that triggered coverage under the policies. As the Court observed, in light of the recent Illinois Supreme Court decision on the point in West Bend, they “could not reasonably argue otherwise.”22 The coverage question thus turned on the policies’ exclusions. Deciding cross-motions for summary judgment, the District Court addressed the merits of each asserted exclusion and ultimately concluded coverage was not excluded under the American Family policy, but was excluded under the Austin Mutual Policy.
With respect to the ERP exclusion, the Court observed that the case law was mixed regarding its applicability to BIPA claims.23 The Court noted that Karikari did not allege that Carnagio improperly refused to employ her or wrongfully terminated her, so the first two reasons for exclusion do not apply.24
Instead, the Insurers relied on the third category, arguing that Carnagio’s practice of requiring employees to clock in and out using their handprints was an “employment-related practice” that arose out of the employ-
17 Id. at *7. 18 Id. at *1, 3. 19 Id. at *2. 20 Id. 21 Id. at *3. 22 Id. at *4 and n.3. 23 Id. at *4. 24 Id. at *5.
