Recently in American Family Mutual Insurance Co., SI, v. Investment Co., an insurer filed an action seeking a declaration that it does not have to defend its insured against an underlying class action brought under Illinois’s Biometric Information Privacy Act.
This lawsuit joins a growing trend of similar actions brought by insurers seeking to escape from their contractual obligations and abandon their insureds in their hour of greatest need.
In some cases, the insurer agrees to defend under a reservation of rights, meaning that the insurer will provide a temporary defense, while actively working behind the scenes to shirk or eliminate its coverage duties. In others, the insurer denies coverage outright, then files a declaratory judgment action, forcing its insured to fight a war on two fronts: the defense against the BIPA class action and the coverage action against its insurer.
The purpose of these lawsuits is clear: Put the insureds on the defensive, force them to incur attorney fees and intimidate them into dropping valid claims for BIPA coverage.
This article will (1) provide a brief summary of BIPA, as well as the kinds of underlying BIPA claims for which insureds are seeking personal and advertising injury coverage under liability policies; (2) explain how liability policies provide personal and advertising injury coverage for many BIPA claims; (3) refute the insurers’ arguments for denying coverage; and (4) provide recommendations for insureds facing these insurer lawsuits.
BIPA governs the collection, use, and dissemination of biometric data and imposes severe punishments for violations.
The Biometric Information Privacy Act is an Illinois statute regulating the collection, use and disclosure of biometric data, including fingerprints, retina and iris scans, voiceprints, and scans of hand and face geometry. As a general proposition, BIPA prohibits private entities from disclosing a person’s biometric information without first obtaining his or her consent.
Recently, there have been a series of BIPA class actions filed by employees alleging that their employers recorded their fingerprints as a method of keeping track of their time (i.e., when they clocked in or out of their shifts) before disclosing their biometric data to third parties, in violation of BIPA.
For each negligent BIPA violation, claimants seek the greater of $1,000 or actual damages; for each intentional or reckless violation, claimants seek the greater of $5,000 or actual damages. These potential damages can add up quickly. Class actions brought under BIPA can present tremendous potential liability and attract aggressive plaintiff attorneys.
Fortunately for corporate policyholders, most liability policies provide personal and advertising injury coverage for the existential threats presented by these kinds of claims.
General liability policies cover allegations of personal and advertising injury, including publication of material that violates a person’s right of privacy.
Many general liability insurance policies provide coverage for claims alleging personal and advertising injury, defined to include “oral or written publication, in any manner, of material that violates a person’s right of privacy.” This is a standard-issue coverage provision. These policies require the insurer to both defend provide defense counsel or reimburse defense invoices and indemnify the insured (pay for any resulting settlements or judgments).
As discussed in more detail in the next section, the West Bend Mutual Insurance Company v. Krishna Schaumburg Tan Inc. case decided earlier this year held that this standard-form personal and advertising injury provision covers BIPA claims alleging disclosure of biometric data to one or more third parties. Nonetheless, insurers facing claims for coverage for BIPA claims have resorted to a variety of tactics to try and wriggle out of their coverage obligations.
Consider coverage issues for BIPA claims under general liability policies.
Despite the holding in Krishna, insurance carriers continue to repeat coverage arguments already decided in favor of policyholders. In addition, some insurers have gone back to the drawing board and come up with additional reasons for denying coverage.
For example, in McEssy, the insurer asserted four main grounds for denying coverage: (1) the BIPA class action does not allege personal and advertising injury; (2) an exclusion for distribution of material in violation of statutes bars coverage; (3) an exclusion for employment-related practices precludes coverage; and (4) an exclusion for access or disclosure of confidential or personal information applies to prevent recovery.
In Krishna, the insurer tried making the first two arguments, but lost. This section explains why the insurers’ first two arguments for denying coverage failed and why the McEssy insurer’s new arguments should fail as well.
BIPA class actions allege personal and advertising injury because disclosure of biometric data to a single third party constitutes publication.
The insurer in McEssy claims that the underlying BIPA class action does not allege personal and advertising injury because there is no alleged “publication of material that violates a person’s right of privacy,” as the underlying BIPA class action only alleges that the insured provided fingerprint data to a single third-party vendor. The insurer in Krishna made this same argument — but lost.
In Krishna, the insurer tried to argue that there was no personal and advertising injury because publication requires communication of information to the public at large, not simply a single third party. The court rejected this argument, noting that both common understanding and dictionary definitions of the term “publication” include both “the broad sharing of information to multiple recipients” and “a more limited sharing of information with a single third party.”
Krishna thus correctly decided this issue in policyholders’ favor: Disclosure of biometric data to a single third party constitutes “publication of material that violates a person’s right of privacy” sufficient to trigger personal and advertising injury coverage under a general liability policy.
The exclusion for distribution of material in violation of statutes does not apply because BIPA regulates biometric data, not methods of communication.
The McEssy insurer asserts another ground for noncoverage that the court in Krishna also rejected, claiming that an exclusion for distribution of material in violation of statutes bars coverage. This exclusion bars coverage for personal and advertising injury arising directly or indirectly out of any action or omission that violates or is alleged to violate:
- The Telephone Consumer Protection Act, including any amendment of or addition to such law; or
- The CAN-SPAM Act of 2003, including any amendment of or addition to such law; or
- Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.
Krishna also resolved this argument in policyholders’ favor. Specifically, the court held that this exclusion only applies to statutes that govern certain methods of communication, such as emails, faxes and phone calls.
By contrast, BIPA “says nothing about methods of communication.” Instead, BIPA regulates the collection, use, disclosure, retention and destruction of biometric data — certain types of information. This exclusion does not apply to BIPA class actions claiming disclosure of biometric data, and the insurer in McEssy knows it.
The employment-related practices exclusion does not apply because the BIPA claims in McEssy do not arise out of hiring, firing or job performance.
The insurer in McEssy also raises two new arguments not at issue in Krishna. First, the insurer claims that an employment-related practices exclusion bars coverage for the underlying BIPA class action, because the insured’s alleged fingerprint scanning to track its employees’ time arises out of an employment-related practice. The employment-related practices exclusion bars coverage for personal and advertising injury to a person arising out of any:
- Refusal to employ that person;
- Termination of that person’s employment; or
- Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed that that person.
This exclusion does not apply because the underlying BIPA claims in McEssy do not arise out of the insured’s hiring, firing, or job performance-related decisions. Policy exclusions are construed narrowly against the insurer and in favor of coverage. The insurer also has the burden of showing that a claim falls within a provision that limits or excludes coverage.
Here, Illinois courts have held that whether the employment-related practices exclusion applies depends on the facts specific to each case, although the rationale remains consistent. In order for the exclusion to apply, the complained-of employment-related practice must arise out of the employee’s hiring, firing or job performance.
In McEssy, the BIPA claimants allege that the insured required them to use their fingerprints to clock in and out of their shifts, as a method for keeping track of their time. This administrative system has nothing to do with the employees’ hiring, firing or job performance, so this exclusion should not apply.
The exclusion for access or disclosure of confidential or personal information does not apply because biometric data is not health information.
Finally, the insurer in McEssy raises a second, new coverage defense, arguing that an exclusion for access or disclosure of confidential or personal information applies to bar coverage. This exclusion applies to personal and advertising injury arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other kind of nonpublic information.
This exclusion should not apply because biometric data is different from the listed examples of nonpublic information. Under the exclusion’s plain meaning, biometric data is not similar to virtually all of the listed examples of confidential or personal information.
Most of the examples are data that a person creates or generates, such as patents, trade secrets, processing methods, or customer lists; or financial information or credit card information. The statute specifically states that “biometrics are unlike other unique identifiers that are used to access finances or other sensitive information.”
No one creates or generates biometric data; instead, biometrics are “biologically unique to the individual.” Insurers may argue that biometric data is health information, but that argument should fail because the statute’s definition of “biometric identifiers” does not include information collected, used or stored for health care treatment, such as body weight, X-rays or MRIs.
By contrast, health information such as body weight, cholesterol readings or blood pressure measurements provide insight regarding a person’s health, but is common to many people and does not uniquely identify them. Simply put, fingerprints are not health information, and the exclusion should not apply.
Policyholders who find themselves slammed with insurer declaratory judgment actions are in a tight spot. At a time when they should be focused on the threat from the BIPA claims, when sued by insurance carriers, the policyholders must also retain counsel, incur attorney fees, and answer the insurers’ complaints.
Policyholders that find themselves in this situation need to quickly come up with a strategy to fight back against wrongful denials of coverage. One strategy is to answer the insurer’s complaint, and then quickly move for judgment on the pleadings, as the duty to defend is a question of law, ripe for early adjudication. These intimidation strategies will not work, as long as you are prepared to combat your insurance carriers’ misplaced aggression.
This article was also published in Law360.
 Compl. for Declaratory J., Am. Family Mut. Ins. Co. v. McEssy Inv. Co., No. 1:20-cv-05591 (N.D. Ill. Sept. 21, 2020).
 See, e.g., Am. Compl. for Declaratory J., Am. Family Mut. Ins. Co. v. Amore Enters., Inc., No. 20 C 1659 (N.D. Ill. Sept. 17, 2020); W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834 (Ill. App. Ct. Mar. 20, 2020).
 See, e.g., McEssy Compl., at ¶ 15 (accepting the tender of the defense while reserving rights, then filing a declaratory judgment action against the insured); Krishna, at *1 (same).
 See, e.g., Compl. for Declaratory J., Am. Guar. & Liab. Ins. Co. v. Toms King LLC, No. 2020CH04472, ¶¶ 42-45 (Ill. Cir. Ct. June 5, 2020).
 Class Action Compl., Currie v. McEssy Inv. Co., No. 20CH00000467, ¶¶ 12-13, 25 (Ill. Cir. Ct. July 10, 2020) (citing 740 Ill. Comp. Stat. 14/10 (2008)).
 Id. at ¶ 26 (citing 740 Ill. Comp. Stat. 14/15(b) (2008)).
 See, e.g., Amore Am. Compl., at ¶ 58; Currie Compl., at ¶¶ 33-35; Toms King Compl., at ¶ 18; Third Am. Class Action Compl., Lark v. McDonald’s USA, LLC, No. 17-L-559, ¶ 122 (Ill. Cir. Ct. Nov. 5, 2019).  740 Ill. Comp. Stat. 14/20 (2008).
 See, e.g., Insurance Services Office (“ISO”) Businessowners Coverage Form BP 00 03 01 06, Section II – Liability, § F. 14. e.
 For example, the definition of “personal injury” in the Businessowners Liability Coverage Form at issue in Krishna similarly included “injury, other than ‘bodily injury,’ arising out of one or more of the following offenses… oral or written publication of material that violates a person’s right of privacy.” Krishna, 2020 IL App (1st) 191834, at *1.
 See, e.g., Insurance Services Office (“ISO”) Businessowners Coverage Form BP 00 03 01 06, Section II – Liability, § A. 1. a. (“We will pay those sums that the insured becomes legally obligated to pay as damages because of… “personal and advertising injury to which this insurance applies. We will have the right and duty to defend the insured against any ‘suit’ seeking those damages.”).
 Krishna, 2020 IL App (1st) 191834, at *9.
 McEssy Compl., at ¶ 18.
 Id. at ¶ 18(c).
 Krishna, 2020 IL App (1st) 191834, at *4-6.
 Id.  Id.
 McEssy Compl., at ¶ 18(e)).
 See, e.g., Insurance Services Office (“ISO”) Businessowners Coverage Form BP 00 03 01 06, Section II – Liability, § B. 1. s.
 Krishna, 2020 IL App (1st) 191834, at *7.
 McEssy Compl., at ¶ 18(e) n.1 (citing Krishna but nonetheless raising this defense “as a good faith challenge to existing law”). Under Rule 11 of the Federal Rules of Civil Procedure, every pleading must be signed by at least one attorney of record and by signing, the attorney represents that to the best of the person’s knowledge, the “claims, defenses, and other legal contentions are warranted by existing law or by a nonfrivolous argument for extending, modifying, or reversing existing law or for establishing new law.” Fed. R. Civ. P. 11(b)(2).
 McEssy Compl., ¶ 18(f). The insurer did not raise this coverage defense in Krishna because the underlying BIPA claimants in that case were the insured’s customers, not its employees. Krishna, 2020 IL App (1st) 191834, at *2.
 See, e.g., Employment-Related Practices Exclusion, ISO Form No. BP 04 17 07 02.
 Am. All. Ins. Co. v. 1212 Rest. Grp., L.L.C., 794 N.E.2d 892, 897 (Ill. App. Ct. 2003) (“Provisions that limit or exclude coverage are to be construed liberally in favor of the insured and most strongly against the insurer.”).
 Id. (“The burden is on the insurer to show that a claim falls within a provision that limits or excludes coverage.”).
 See, e.g., Am. Econ. Ins. Co. v. Haley Mansion, Inc., No. 3–12–0368, 2013 WL 1760600, at *5 (Ill. App. Ct. Apr. 23, 2013) (holding that the employment-related practices exclusion did not apply to alleged defamatory remarks because they had no bearing on the former employee’s previous work performance); 1212 Rest. Grp., 794 N.E.2d at 897-901 (surveying cases analyzing the Employment-Related Practices Exclusion across several jurisdictions and determining that it did not apply).
 Currie Compl., at ¶¶ 33-34.
 McEssy Compl., at ¶ 18(g).
 Exclusion – Access or Disclosure of Confidential or Personal Information and Data-Related Liability – with Limited Bodily Injury Exception, ISO Form No. BP 15 04 05 14.
 740 Ill. Comp. Stat. 14/5(c) (2008).
 740 Ill. Comp. Stat. 14/10 (2008).
 See Cooper v. Westfield Ins. Co., No. 2:19-cv-00324, 2020 WL 5647015, at *8 (S.D. W.Va. Sept. 22, 2020) (applying the exclusion but to alleged disclosure of false information regarding a former employee’s health; i.e., that she had Hepatitis C).