Court Finds that Liability Insurance Coverage Covers Company Sued under Illinois Biometric Information Privacy Act
October 20, 2020A recent case of first impression out of the Illinois Appellate Court, First District continues to develop precedent for class actions under the Illinois Biometric Information Privacy Act (BIPA). In West Bend Mutual Insurance Company v. Krishna Schaumberg Tan, Inc., the Illinois Appellate Court held that a company’s liability insurance policy for personal injury covered an underlying class action alleging violations of BIPA and that the company’s insurer therefore had a duty to defend the company in the class action. This case adds to the important precedent relating to BIPA class actions that has developed over the past few years, and sheds light as to how courts may construe insurance policies involving alleged BIPA violations.
Certain previous court decisions have also set notable precedent for BIPA violations and set the stage for the importance of the West Bend case. A 2019 landmark decision discussed here established that companies could be held liable under BIPA for mere statutory non-compliance. In this case, the Illinois Supreme Court found that civil liability under BIPA, which carries penalties that could exceed $5,000 per violation, does not require a data breach, wrongful disclosure, or actual injury to the consumer. Following the case, the number of class actions under BIPA has skyrocketed across the country, including a Ninth Circuit case that Facebook agreed to settle in January 2020 for $550 million (discussed here).
The West Bend case stems from a class action complaint filed against a tanning company, Krishna Schaumburg Tan, Inc., by clients in April 2016. The complaint alleged violations of BIPA, specifically that Krishna Schaumburg Tan, as part of its membership, required clients to have their fingerprints scanned for identity verification purposes and then disclosed this biometric data to a third-party vendor without providing or obtaining written consent from clients. Krishna Schaumburg Tan tendered the class action complaint to its insurer, West Bend, seeking a defense and indemnity under its insurance policies. West Bend agreed to defend Krishna Schaumberg Tan under a reservation of rights but then sought a court declaration that it had no duty to defend the company. West Bend argued that the insurance policies did not cover the class action lawsuit because the underlying allegations did not describe an “advertising injury” or a “personal injury” and, in the alternative, that a policy exclusion for statutory violations barred coverage for the underlying lawsuit.
Both the trial court and the Illinois Appellate Court found that West Bend had a duty to defend Krishna Schaumburg Tan because (1) the underlying class action complaint potentially fell within the insurance policies’ definition of “personal injury”; and (2) the statutory violations exclusion did not apply. The policies defined “personal injury” as an “injury, other than ‘bodily injury’ arising out of…oral or written publication of material that violates a person’s right of privacy.” The Illinois Appellate Court held that the transmission of fingerprint data qualified as a “publication” as that term was used in the policies, rejecting West Bend’s argument that publication required communication of information to the public at large, rather than to a single third party. In doing so, the court highlighted that the term “publication” was not defined in the policies, and thus the coverage analysis required the court to consider the dictionary definitions of “publication” rather than solely how other courts have construed the term.
The West Bend case illustrates how a BIPA class action may be covered under an insurance policy as a “personal injury” and how a court may interpret “publication” of biometric information. It also highlights the need for insurance coverage for data privacy matters, which we previously discussed in relation to data breaches here. As litigation in this area continues to increase, companies that collect information subject to BIPA or to other biometric privacy laws should monitor and ensure their compliance with those laws, as well as obtain adequate insurance coverage or review existing coverage to ensure protection from alleged violations.
If you need assistance complying with biometric information laws or other privacy laws, or if you have any questions regarding your insurance policies or any potential insurance claims associated with collecting biometric information, please contact one of the authors above.