The Supreme Court of Illinois recently handed down a monumental decision in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan Inc. confirming that commercial general liability, or CGL, policies cover claims brought against policyholders for alleged violations of Illinois’ Biometric Information Privacy Act, or BIPA.
The ruling has widespread implications for other policyholders with similar coverage for personal and advertising liability and represents a critical victory under so-called silent cyber coverage, affirming that insuring policies do not have to include magic words to cover BIPA claims.
This article analyzes the effects of the court’s decision on the scope of coverage provided by commercial general liability policies and explores future, unresolved issues in the ongoing battles over insurance coverage for BIPA claims.
BIPA prohibits companies from collecting, using and disclosing a person’s biometric data without consent.
In Krishna Schaumburg, a customer filed suit against a tanning salon for BIPA violations.[1] The customer alleged that the salon violated the statute by collecting, using, storing and disclosing her biometric information — her fingerprints — to a third-party vendor.[2]
BIPA is an informed-consent statute that prohibits companies from collecting a person’s biometric information unless they: (1) first inform him or her that they are collecting or storing biometric information, in writing; and (2) inform the person of the specific purpose and length of term for which it is collecting the biometric information; and (3) receive a written release.[3]
Biometric information includes retina or iris scans, fingerprints, voiceprints, and scans of hand and face geometry.[4] Biometric data is biologically unique to an individual and thus presents long-term dangers if compromised, as the individual will remain at heightened risk for identity theft.[5]
BIPA prohibits companies from disclosing biometric information to third parties unless: (1) the individual consents; (2) the disclosure completes a financial transaction requested or authorized by the individual; (3) state or federal law requires the disclosure; or (4) a valid warrant or subpoena requires the disclosure.[6]
CGL policies cover claims for personal and advertising injury brought against the policyholder, including publication of material that violates a person’s right of privacy.
The tanning salon carried business owners’ liability insurance policies, also commonly known as CGL policies.[7]
These policies provide liability insurance protecting the policyholder, the salon, from lawsuits brought by third parties, the customer, seeking damages for personal and advertising injury.[8] In key part, the definition of advertising injury includes “oral or written publication of material that violates a person’s right of privacy.”[9]
If a third-party lawsuit results in a settlement or judgment entered against the policyholder, the insurer must pay for the loss.[10] CGL policies also impose a duty to defend, meaning the insurer must also provide defense counsel or pay defense costs if a third party brings a claim against the policyholder.[11]
CGL policies provide standard-issue coverage, meaning most policies have identical or substantially similar language and provisions. Court rulings interpreting this standard-issue policy language can thus have wide-ranging implications for other policyholders.
After the tanning salon requested a defense, its insurer filed a declaratory judgment action, seeking a ruling that it did not have a duty to defend the salon against the customer’s BIPA claim.[12]
The insurer made two main arguments: (1) that the customer’s BIPA claim did not allege personal and advertising injury — i.e., a publication of material that violated a person’s right of privacy; and (2) that a violation of statutes exclusion applied to bar coverage.[13]
The Supreme Court of Illinois confirms that CGL policies cover BIPA claims under their personal and advertising injury coverage.
The Supreme Court of Illinois ruled against the insurer on both arguments, confirming the insurer’s duty to defend its policyholder against the customer’s BIPA claim.[14]
Specifically, the court rejected the insurer’s argument that the term “publication” required the communication or distribution of the customer’s biometric data — her fingerprints — to the public at large in order to trigger covered personal and advertising injury, as opposed to a single vendor.[15]
The court held that covered publication of material that violates a person’s right of privacy includes both communication to a single party and communication to the public at large, ruling in favor of the policyholder.[16]
The court also holds that the violation of statutes exclusion does not apply to BIPA claims.
The court also held that a violation of statutes exclusion did not apply to bar coverage for the customer’s BIPA claim.[17]
Many CGL policies contain this exclusion, which bars coverage for personal and advertising injury arising out of any action or omission that violates or is alleged to violate: (1) the Telephone Consumer Protection Act; (2) the Controlling the Assault of Nonsolicited Pornography And Marketing Act; or (3) any other statute that prohibits or limits the sending, transmitting, communicating or distribution of material or information.[18]
The insurer tried to argue that the violation of statutes exclusion applied to the customer’s BIPA claim, but the court held that the exclusion only applies to statutes that regulate certain methods of sending material or information, like the above statutes.[19]
Because BIPA does not regulate methods of communication, but instead governs the collection, use, safeguarding, handling, storage, retention and destruction of biometric information, the exclusion did not apply.[20]
The court’s ruling stands as a landmark victory for policyholders under silent cyber coverage for biometric-data privacy claims.
Krishna Schaumburg thus stands as a landmark ruling: the first definitive decision confirming that CGL policies cover BIPA claims under their coverage for personal and advertising injury.[21] The decision has wide-ranging consequences for other policyholders in similar coverage disputes, as insurers have already begun withdrawing arguments based on the court’s ruling.[22]
The decision also marks a resounding victory for policyholders under so-called silent cyber or nonaffirmative cyber coverage. When policyholders request coverage for BIPA claims, their insurers often try to discourage them by claiming that they did not intend for CGL policies to cover BIPA claims.
But the insurers’ intent is irrelevant; all that matters is the language of the policy — and insurers rarely intend for their policies to cover anything. Krishna Schaumburg thus confirms that there are no magic words necessary for CGL policies to cover BIPA claims — instead, the language of the policy controls.
Insurers and their counsel have already begun grumbling about the decision, arguing that the court somehow expanded the meaning of “publication” of material that violates a person’s right of privacy sufficient to trigger personal and advertising injury.[23]
But as the court pointed out, long-standing definitions of the word “publication” have interpreted the term to include disclosure of information to a single party — such as a vendor receiving fingerprints or other biometric data — as well as the public at large.[24]
The court’s decision thus recognizes that insurance policies are contracts of adhesion, drafted only by the insurer and without the policyholder’s input, and thus applied longstanding rules of interpretation requiring courts to construe terms capable of more than one meaning in favor of the policyholder.[25]
While the court resolved two critical issues in policyholders’ favor, other issues not in dispute in Krishna Schaumburg remain unresolved in other pending cases, including whether employment-related practices and disclosure of confidential or private information exclusions bar coverage for BIPA claims and whether insurers will begin adding BIPA exclusions to CGL policies upon renewal.
Future Battlegrounds in Insurance Coverage Disputes Over BIPA Claims
The Employment-Related Practices Exclusion
Post-Krishna Schaumburg, insurers have argued in several pending cases that an employment-related practices exclusion bars coverage for BIPA claims.[26] The court did not decide whether this exclusion applied in Krishna Schaumburg because the BIPA plaintiff was a customer of the insured tanning salon — not an employee.[27]
In many other insurance disputes over coverage for BIPA claims, the policyholders are employers facing BIPA claims brought by their employees. These employees often claim that their employers violated the statute by improperly collecting, storing, using and disclosing their biometric data by using timekeeping systems that scanned their fingerprints, as a method of having them clock into and out of their shifts.[28]
When the employers seek defense coverage under their CGL policies, the insurers have denied coverage based on a new exclusion: the employment-related practices exclusion.[29]
This exclusion typically states that the policy’s personal and advertising injury coverage does not apply to claims brought by a person arising out of any: (1) refusal to employ that person; (2) termination of that person’s employment; or (3) employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution directed at that person.[30]
The insurers claim that this exclusion bars coverage because the employers’ use of their employees’ fingerprints as a timekeeping system is an employment-related practice or policy.[31]
However, the case law indicates that the exclusion only applies to claims arising out of an employee’s hiring, firing, or job performance, or an employer’s wrongful conduct related to such personnel decisions — i.e., “matters that directly concern the employment relationship itself.”[32]
The exclusion does not apply to all matters that concern or relate to employees.[33] By contrast, the fingerprint timekeeping system is only an administrative device, unrelated to the employees’ performance, and does not directly concern the employment relationship, indicating that the exclusion should not apply.[34]
No court has yet ruled on whether the employment-related practices exclusion applies to bar coverage for BIPA claims, but currently pending cases have raised this issue, making it an unresolved issue to watch in the second half of 2021.[35]
Disclosure of Confidential or Private Information Exclusion
After Krishna Schaumburg, insurers have also raised a second new coverage defense, arguing that an access or disclosure of confidential or personal information exclusion bars coverage for BIPA claims.[36]
This exclusion states that coverage does not apply to personal and advertising injury arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.[37]
The insurers claim that this exclusion should bar coverage because biometric information is confidential or personal information.[38] But a brief reading of the exclusion and BIPA also indicates that this exclusion should not apply.
First, most of the examples of confidential or personal information are things that people create and can change, such as patents, trade secrets, processing methods and customer lists.[39] By contrast, people do not create and cannot change their biometric information — instead, biometrics are biologically unique to the individual.[40]
Second, BIPA explicitly states that biometric information is different from “other unique identifiers that are used to access finances or other sensitive information” — i.e., financial information and credit card information.[41]
The statute also specifically states that biometric data does not include information collected, used or stored for health care treatment — i.e., health information.[42] The exclusion thus should not apply.
Even so, you can expect insurers to continue arguing that the disclosure of confidential or private information exclusion bars coverage for BIPA claims, making this issue another key battleground in future BIPA coverage disputes.
Policyholders should beware of insurer attempts to add BIPA exclusions to CGL policies upon renewal.
Finally, insurers are already adding BIPA exclusions to CGL policies.[43] This is a common insurer move — when a widespread event potentially implicates many of their policies, insurers try to add exclusions not only for that event, but for any similar ones in the future, such as adding a terrorism exclusion after 9/11 or a pandemic exclusion after the COVID-19 pandemic.
Adding these exclusions is part of insurer efforts to avoid paying for losses and slowly hollow out the coverage provided by their policies over time.
Policyholders should carefully review any such exclusions and beware of insurer attempts to similarly exclude coverage for any statutes similar to BIPA, as several states have now passed similar laws protecting biometric information — with more likely to follow suit in the future.[44]
Policyholders should also negotiate reduced premiums or other concessions if their insurers add BIPA exclusions to their policies, as they would otherwise pay the same premiums, but receive less coverage — without any additional consideration. No matter what your insurer tries to tell you, CGL policies cover BIPA claims, as the Supreme Court of Illinois has now made clear.
This article was also published in Law360.
[1] W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., No. 2021 IL 125978, 2021 WL 2005464, at *1 (Ill. May 20, 2021).
[2] Id.
[3] 740 Ill. Comp. Stat. Ann. 14/15(b) (West 2021).
[4] 740 Ill. Comp. Stat. Ann. 14/10 (West 2020).
[5] 740 Ill. Comp. Stat. Ann. 14/5(c) (West 2021).
[6] 740 Ill. Comp. Stat. Ann. 14/15(d) (West 2021).
[7] Krishna Schaumburg, 2021 WL 2005464, at *2.
[8] Id.
[9] Id.
[10] Id.
[11] Id.
[12] Id. at *3.
[13] Id.
[14] Id. at *10.
[15] Id. at *6.
[16] Id. at *6-8.
[17] Id. at *8-9.
[18] Id. at *2-3.
[19] Id. at *10.
[20] Id. at *9-10.
[21] Id. at *10.
[22] E.g., Pl.’s Mot. for Leave to Cite New Authority & Withdraw Certain Prior Arguments, State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enters., Inc., No. 1:20-cv-06199 (N.D. Ill. May 20, 2021).
[23] Daphne Zhang, Ill. Justices Ring ‘Alarm Bell’ For Insurers on BIPA Coverage, Law360 (May 24, 2021), https://www.law360.com/articles/1387169/ill-justices-ring-alarm-bell-forinsurers-on-bipa-coverage.
[24] Krishna Schaumburg, 2021 WL 2005464, at *7.
[25] Id. at *7.
[26] Pl.’s Mem. of Law in Supp. of Its Mot. for Summ. J., State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enters., Inc., No. 1:20-cv-06199, § 2. A. (N.D. Ill. Jan. 28, 2021).
[27] Krishna Schaumburg, 2021 WL 2005464, at *1.
[28] E.g., Compl. for Declaratory J., Old Republic Union Ins. Co. v. McDonald’s USA, LLC, No. 2021CH02445, ¶¶ 3, 32-33, 35 (Ill. Cir. Ct. May 19, 2021).
[29] Id. at ¶ 82.
[30] Compl. for Declaratory J., Citizens Ins. Co. of Am. v. Nw. Pallet Servs., LLC, No. 1:21cv-02804, ¶ 38 (N.D. Ill. May 25, 2021).
[31] E.g., Compl. for Declaratory J., Old Republic Union Ins. Co. v. McDonald’s USA, LLC, No. 2021CH02445, ¶ 82 (Ill. Cir. Ct. May 19, 2021).
[32] E.g., Peterborough Oil Co. v. Great Am. Ins. Co., 397 F. Supp. 2d 230, 238-39 (D.
Mass. 2005); see also Am. All. Ins. Co. v. 1212 Rest. Grp., L.L.C., 794 N.E.2d 892, 897 (Ill. App. Ct. 2003) (holding that the exclusion did not apply to alleged defamatory statements because they did not all relate to the employee’s job performance); Am. Econ. Ins. Co. v. Haley Mansion, Inc., No. 3–12–0368, 2013 WL 1760600, at *5 (Ill. App. Ct. Apr. 23, 2013) (also holding that the exclusion did not apply to alleged defamatory remarks unrelated to a former employee’s work).
[33] Peterborough, 397 F. Supp. 2d at 239.
[34] Def.’s Mem. of Law Opposing Pl.’s Mot. for Summ. J., State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enters., Inc., No. 1:20-cv-06199, § II. B. (N.D. Ill. Mar. 8, 2021).
[35] Id.
[36] Compl. for Declaratory J., Citizens Ins. Co. of Am. v. Nw. Pallet Servs., LLC, No. 1:21cv-02804, ¶ 53 (N.D. Ill. May 25, 2021).
[37] Compl. for Declaratory J., Citizens Ins. Co. of Am. v. Nw. Pallet Servs., LLC, No. 1:21cv-02804, ¶ 51 (N.D. Ill. May 25, 2021).
[38] Id. at ¶ 53.
[39] Id. at ¶ 51.
[40] [40] 740 Ill. Comp. Stat. Ann. 14/5(c) (West 2021).
[41] 740 Ill. Comp. Stat. Ann. 14/5(c) (West 2021) (“Biometrics are unlike other unique identifiers that are used to access finances or other sensitive information.”).
[42] 740 Ill. Comp. Stat. Ann. 14/10 (West 2021).
[43] Daphne Zhang, Ill. Justices Ring ‘Alarm Bell’ For Insurers on BIPA Coverage, Law360 (May 24, 2021), https://www.law360.com/articles/1387169/ill-justices-ring-alarm-bell-forinsurers-on-bipa-coverage.
[44] Michele Gorman, What GCs Need To Know About Va.’s New Data Privacy Law, Law360 Pulse (Mar. 16, 2021), https://www.law360.com/pulse/articles/1365370/what-gcs-need-toknow-about-va-s-new-data-privacy-law.