Appellate Court Rules Insurers Have Duty to Defend Illinois Biometric Privacy Claim

Finds Publication Requirement Does Not Require Widespread Dissemination

March 25, 2020
Insights for Insurers

An Illinois state appellate court recently ruled that a customer's biometric privacy class action claims against an insured tanning salon potentially fell within two insurer's personal injury coverage. See, West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834 (March 20, 2020). The plaintiff in the underlying class action alleged that the salon collected her fingerprint to verify her identification in order to access the insured salon as well as affiliated salons across the country, in violation of Illinois' Biometric Information Privacy Act (BIPA). Specifically, the plaintiff alleged the salon disclosed her fingerprint data to a vendor without her consent, and asserted claims for violation of BIPA, unjust enrichment, and negligence, for which she sought damages for mental anguish and mental injury.

The salon was insured under two Businessowners Liability policies, both of which provided coverage for personal injury caused by an offense arising out of the insured's business. The policies defined "personal injury" as injury arising out of "oral or written publication of material that slanders or libels a person or organization" or "oral or written publication of material that violates a person's right of privacy." The policies also contained an exclusion for violation of statutes, which stated: 


*  *  *  *  *

This insurance does not apply to:


"Bodily injury", "property damage", "personal injury" or "advertising injury" arising directly or indirectly out of any action or omission that violates or is alleged to violate:

(1) The Telephone Consumer Protection Act (TCPA), including any amendments of or addition to such law; or

(2) The CAN-SPAM ACT of 2003, including any amendment of or addition to such law; or

(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of materials or information.

One policy also contained an Illinois Data Compromise Coverage endorsement, which covered the "loss, theft, accidental release or accidental publication of 'personally identifying information' or 'personally sensitive information' as respects one or more 'affected individuals.'" Personal Data Compromise means disposal or abandonment of such information, without appropriate safeguards, which must have been accidental, not reckless or deliberate.

One of the salon's insurers provided a defense under a reservation rights, but then sought a declaration in Illinois state court that the claim was not covered on the grounds that it did not allege an "advertising injury" or a "personal injury," the data compromise endorsement was not applicable, and coverage was precluded by the violation of statutes exclusion. Following cross-motions for summary judgment, the trial court found that the insurer had a duty to defend, the claim fell within the policies' personal injury coverage, and the violation of statutes exclusion did not apply. The court declined to decide if the personal data compromise endorsement provided coverage and ruled that there was insufficient evidence to support the salon's bad faith cross claim.

On appeal, the insurer argued that the policies' personal injury coverage did not apply because there was no "publication" of the plaintiff's information under Illinois law. In support of that position, the insurer relied on the Illinois Supreme Court decision in Valley Forge Insurance Co. v. Swiderski Electronics, Inc., 359 Ill.App.3d 872 (2005), a TCPA fax coverage case, in which the Supreme Court stated:

[I]n the interest of coherently interpreting all the relevant terms of the "advertising injury" provision, we observe that [the underlying] complaint alleges conduct by [the insured' that amounted to "publication" in the plain and ordinary sense of the word. By faxing advertisements to the proposed class of fax recipients as alleged in [the underlying] complaint, [the insured] published the advertisements in both the general sense of communicating information to the public and in the sense of distributing copies of the advertisements to the public.

Because the insured salon here did not distribute the plaintiff's fingerprint data "to the public," the insurer asserted there was no required publication of that data within the meaning of the policies' personal injury coverage. The court, however, disagreed that the Supreme Court in Valley Forge defined "publication" as requiring communication to any number of persons. Based on what it called "common understandings and dictionary definitions," the court held that "publication" includes both the broad sharing of information to multiple recipients and a more limited sharing with a single party. The court noted that the policies' description of a defamation injury used the same "oral or written publication of material" terminology used for personal injury, and that the insurers could have, but did not, define publication to be limited to communication of information to a large number of people. "Because a common understanding of 'publication' encompasses [the salon's] act of providing [the plaintiff's] fingerprint data to a third party," there was a potential for coverage under the policies.

The court then ruled that the violation of statutes exclusion did not apply, stating:

The violation of statutes exclusion read in its entirety makes clear . . . that it was not intended to bar coverage for a statute like [BIPA]. In fact, the exclusion is meant to bar coverage for the violation of a very limited type of statute this is evidenced first from the exclusion's title which [the insurer] conveniently shortens to "Violation of Statutes." The title, as a whole is: Violation of Statutes That Govern E-Mails, Fax, Phone Calls or Other Method of Sending Material or Information. (emphasis in original). The title makes clear that the exclusion applies to statutes that govern certain methods of communication, i.e., e-mails, faxes, and phone calls, not to other statutes that limit the sending or sharing of certain information.

*  *  *  *  *

In light of the title and the two specific statutes listed in the exclusion, the more reasonable reading of this third item is that it is meant to encompass any State or local statutes, rules, or ordinances that, like TCPA and the CAN-SPAM Act, regulate methods of communication.

The court noted that BIPA, on the other hand, "says nothing about methods of communication [but] instead regulates 'the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.'"

The court affirmed the trial court's ruling, holding that the policies' personal injury coverage was triggered and the violation of statutes exclusion did not apply. The court did not consider if coverage is available under the data compromise endorsement, but ruled that there was a bona fide dispute in that regard so that the spa was not entitled to bad faith damages for denial of coverage.

We note that this is the second recent case to address the meaning of "publication" within the context of personal injury coverage where the information at issue was not widely disseminated. The Ninth Circuit also addressed the issue earlier this month.