BIPA and Insurance Coverage – Play Ball!

Privacy & Cybersecurity Newsletter
July 2022

As baseball heads to the All-Star break and the rest of the season, fans are meticulously keeping score and tracking statistics such as RBI, HR’s and K’s. Some follow advanced analytics, like WAR, OPS+ and others. And on the playing field of coverage disputes, insurers and their policyholders are focusing on BIPA. No, BIPA is not another advanced analytic. Instead, now at bat - the Illinois Biometric Information Privacy Act, which came into effect in 2008 and provides a comprehensive set of rules for those entities choosing to collect biometric data from Illinois residents.

BIPA played in the minor leagues until 2015, when a series of class action lawsuits were filed alleging unlawful collection and use of biometric data of Illinois residents. BIPA made it to the big leagues in 2019, when the Illinois Supreme Court held in Rosenbach v. Six Flags Entm’t Corp., 2019 IL 123186 (Ill. 2019) that a plaintiff need not show actual harm in order to have standing to bring suit under BIPA. While there may be no crying in baseball, there was certainly a great deal of consternation among businesses about the onslaught of class action litigation under BIPA following Rosenbach.[1]

Coverage Decisions under Comprehensive General Liability Policies

As one would expect, as those lawsuits have been filed, policyholders have made the proverbial “call to the pen” by tendering the claims to their insurers for coverage. Most of the claims have been noticed under CGL policies. Of interest, the decisions addressing coverage for BIPA claims under CGL policies have started from the premise that the claims fall within the initial grant of coverage, particularly the personal and advertising injury insuring agreement, and instead focus on whether one or more of three separate policy exclusions preclude coverage for BIPA claims.

The lineup of exclusions that insurers have put forward so far, at least in the reported decisions, includes: (1) the Employment Related Practices exclusion; (2) the Violation of Statutes exclusion; and (3) the Access or Disclosure exclusion. Below is a scorecard, so to speak, as to how each of those exclusions have fared to date.

Employment Related Practices Exclusion (Score: 4-1 against exclusion)

The Employment Related Practices (“ERP”) exclusions in the decisions, with some limited differences, preclude coverage in pertinent part for “‘Personal and advertising injury’ … arising out of any … Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, or discrimination directed at that person; … .” The ERP exclusion came out swinging with a decision finding no coverage. Am. Family Mut. Ins. Co. v. Caremel, Inc., Case No. 20 C 637, 2022 WL 79868, at *4 (N.D. Ill. Jan. 7, 2022)(J. Leinenweber)(“Caremel”).

Since that time, however, the ERP exclusion has struck out with four subsequent decisions in the Northern District of Illinois taking a narrower view of the ERP exclusion and concluding it does not preclude coverage. In doing so, courts have considered whether the conduct at issue in the BIPA claim, such as using a fingerprint to clock in and clock out, is an employment-related practice of “general similitude” with the employment-related practices specifically listed in the exclusion. Two of the decisions have concluded that there is at least some ambiguity as to whether the conduct underlying a BIPA claim is of the type of employment-related practice contemplated by the exclusion, requiring a finding in favor of the insured. Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, No 20-CV-05980, 2022 WL 602534, at *4-5 (N.D. Ill. Mar. 1, 2022)(“Thermoflex”)(J. Kness); Citizens Ins. Co. of Am. v. Highland Baking Co., 20-cv-04997, 2022 WL 1210709, at *1 (N.D. Ill. March 29, 2022)(“Highland Baking Co.”)(J. Pacold). Two other decisions affirmatively concluded that the practice of requiring employees to clock in and out using a biometric time clock was not an employment-related practice of the type contemplated by the exclusion. Those decisions further noted that even if there was only an ambiguity as to whether BIPA claims fall within the scope of the exclusion, the court’s decision that the exclusion does not bar coverage would remain unchanged. State Auto Mut. Ins. Co. v. Tony’s Finer Foods Enters., Inc., No. 20-CV-6199, 2022 WL 683688, at *9 (N.D. Ill. Mar. 8, 2022)(“Tony’s Finer Foods”)(J. Seeger); Am. Fam. Mut. Ins. v. Carnagio Enters., Inc., No. 20 C 3665, 2022 WL 952533 *5-6 (N.D. Ill. Mar. 30, 2022)(“Carnagio”)(J. Lee).

Violation of Statute Exclusions (Score: 5-1 against exclusion)

The reported decisions have addressed differing versions of this exclusion, with differing titles. One version precludes coverage for personal and advertising injury arising of any action or omission that violates or is alleged to violate the Telephone Consumer Protection Act (“TCPA”), the CAN-SPAM Act of 2003, or any statute, ordinance or regulation other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information. Another version likewise precludes coverage for violations of the TCPA and CAN-SPAM Act of 2003, but also expands the exclusion to encompass violations of the Fair Credit Reporting Act (“FCRA”) and its amendment, the Fair and Accurate Credit Transactions Act (“FACTA”), as well as any federal, state or local statute, ordinance or regulation (other than the TCPA, CAN-SPAM Act of 2003, or FCRA) that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.

To date, only one court has found that either version of this exclusion precludes BIPA coverage. That was in an “away game” decision out of the U.S. District Court for the Middle District of North Carolina. See Mass. Bay. Ins. Co. v. Impact Fulfillment Services, LLC, 1:20CV926, 2021 WL 4392061 (M.D. N.C. Sept. 24, 2021), which conducted its coverage analysis under North Carolina law, as opposed to Illinois law. The exclusion, in both forms, is batting 0-5 in the Illinois courts, including in a decision handed down by the Illinois Supreme Court addressing the arguably more limited version of the exclusion. The decisions in those cases have focused on the doctrine of ejusdem generis, which is a canon of construction holding that when a general word or phrase follows a list of specifics, the general word or phrase will be interpreted to include items of the same class as those listed. In applying the doctrine, courts have concluded that BIPA, which regulates the collection, use, storage and retention of biometric identifiers and information, is not of the same class as the TCPA and CAN-SPAM Act of 2003, which regulate methods of communication, or the FCRA and FACTA, which regulate the use of material such as background reports and credit and debit account information, respectively. West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, ¶¶ 58-59 (May 20, 2021); Caremel, 2022 WL 79868, at *4; Thermoflex, 2022 WL 602534, at *5-6; Highland Baking, 2022 WL 1210709, at *1; Carnagio, 2022 WL 952533 at *6-7; Citizens Ins. Co. of Am. v. Wynndalco Enters., LLC, Case No. 20 C 3873, 2022 WL 952534, at *4-6 (N.D. Ill. Mar. 30, 2022)(J. Lee)(applying ejusdem generis but noting it was not necessarily applicable because the FCRA and FACTA are so dissimilar from the other statutes referenced in the exclusion).

Access or Disclosure Exclusion (Score: 3-2 against exclusion)

The Access or Disclosure Exclusion bars coverage for “‘Personal and advertising injury’ arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” The Access or Disclosure Exclusion has a higher batting average than the other two exclusions, as two of the courts that have addressed the exclusion have found that it applies to preclude coverage. Those courts have concluded that BIPA claims seek damages arising out of a third party’s access to or disclosure of the plaintiff’s personal information, which squarely falls within the scope of the exclusion. Carnagio, 2022 WL 952533 at *9-10; Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., No. 21 C 788, 2022 WL 954603 at *8 (N.D. Ill. March 30, 2022)(J. Lee). Three other courts have come to a different conclusion. In doing so, the courts focused on other language in the exclusion, particularly the references to patents, trade secrets, processing methods, customer lists and financial information, to suggest an ambiguity as to whether biometric data was intended to fall within the type of confidential or personal information contemplated by the exclusion. Caremel, 2022 WL 79868 at *3; Thermoflex, 2022 WL 602534 at *7; Highland Baking, 2022 WL 1210709 at *1.

Coverage Decisions under Other Lines of Coverage

The CGL decisions are not the only game in town. At least one federal district court decision addressed a D&O and EPL policy, finding a duty to defend under the EPL insuring agreement but not under the D&O coverage. Twin City Fire Ins. v. Vonachen Servs., No. 20-cv-1150, 2021 WL 4876943 (C.D. Ill. Oct. 19, 2021)(J. Shadid). In a close call, the court found that the allegations in a complaint about the insured’s employee handbook’s references to a biometric timekeeping system and compliance with all laws came within the definition of “Employment Practices Wrongful Act” that included a “breach of any oral, written or implied employment contract, including, without limitation, any obligation arising from a personnel manual, employee handbook.” Id. at *17, 22. (emphasis in original). As to the D&O coverage, the court determined that an exclusion under that insuring agreement for any claim “based upon, arising from, or in any way related to any actual or alleged … invasion of privacy” was “clearly broad enough to exclude the BIPA violations alleged” in the complaint. Id. at *13, 17.

In a separate matter, an Illinois trial court dismissed all claims for coverage for two underlying BIPA-related lawsuits under a policy with media liability and data and network liability insuring agreements. As to one of the actions, the court held that the insured did not prove that dissemination of fingerprint information was “to the public” as required by the media liability insuring agreement. The court also did not find that the data and network liability insuring agreement was at issue. Finally, as to the other underlying action, the court determined that no “claim”, as defined by the policy and required by both insuring agreements, had yet been made against the insured. Remprex, LLC v. Certain Underwriters at Lloyd’s, London, Syndicates 2623/623, No. 2020CH05507. Cir. Ct., Cook Cty., Ill., Feb. 28, 2022.

Reading the Signs

In baseball, fans look forward to the seventh inning stretch. Insurers and policyholders dealing with BIPA claims will instead be looking forward to see how the Seventh Circuit Court of Appeals rules on the application of these exclusions as appeals of these decisions are taken. In that regard, it is noteworthy that Judge John Z. Lee, who authored several opinions dealing with coverage for BIPA, was recently nominated by President Biden to the Seventh Circuit.

BIPA swings for the fences with statutory damages of $1,000 for each negligent violation or $5,000 for each intentional violation along with attorneys’ fees and costs (740 Ill. Comp. Stat. Ann. 14/20). The game may go into extra innings depending on how, for example, the Illinois Supreme Court decides a pending certified question about whether an entity runs afoul of BIPA each time the entity allegedly collects or discloses an individual’s biometric information.

In the meantime, new and ongoing coverage cases are on deck, providing additional opportunities for courts to consider the facts of BIPA-related claims and the specific language of insurance policies. See, e.g., Western World Insurance Co. v. PSP Stores LLC, No. 2:22-cv-11333 (E.D. Mich.)(general liability insurer denies coverage to pet supply and services company); Continental Casualty Co. v. Pet Supplies Plus Holding LLC et al., No. 2:22-cv-11324 (E.D. Mich.)(same); Church Mutual Insurance Co. v. Prairie Village Supportive LLC et al., No 1:21-cv-03752 (N.D. Ill.)(assisted living facility seeks coverage under general liability policy). In addition, some insurers are reportedly stating to add new BIPA-specific exclusions to their policies, which may well be the subject of future litigation if claims are denied on the basis of those exclusions.

With the stakes involved, the best BIPA defense is a good offense. Entities are encouraged to manage their BIPA-related risks from the first pitch. Entities should develop information consent, collection, use, retention, and disposal policies carefully and with an understanding of BIPA compliance. Entities that lay off the bad pitches are less likely to have an insurance claim at all or to get involved in a dispute over a claim.


[1] See See Locke Lord companion articles about laws in other states that address the privacy of biometric information and Illinois case law developments about the application of BIPA.