BIPA and Insurance Coverage II – Are You Ready for Some Case Law?‎

With football season in full swing, fans and fantasy football owners alike are busy watching games and tossing around acronyms like passes – Xs and Os, TDs, PATs, PPR, YACs, and many more. And on the legal gridiron, insurers and their policyholders continue to focus on BIPA. This article provides an update on the score.

The Illinois Biometric Information Privacy Act of 2008 provides a comprehensive set of rules for those entities choosing to collect biometric data from Illinois residents. BIPA used to be a Pop Warner League level concern. However, after years of relative quiet, BIPA found the end zone in 2019, when the Illinois Supreme Court held in Rosenbach v. Six Flags Entm’t Corp.^[1] that a plaintiff need not show actual harm in order to have standing to bring suit under BIPA. Since then, BIPA has hit prime time with new cases now filed almost daily.

IT’S THE SECOND QUARTER FOR COVERAGE DECISIONS UNDER COMPREHENSIVE GENERAL LIABILITY POLICIES

In our previous article, we described the early work by courts to assess whether comprehensive general liability (CGL) policies provide coverage for BIPA claims. There have been several new decisions. As a reminder, let’s introduce the insurers’ defensive lineup. Insurers to date have relied on one or more of the following exclusions:

• The Employment Related Practices exclusion;
• The Violation of Statutes exclusion; and
• The Access of Disclosure exclusion.
   

With the newer decisions, the score between insurers and policyholders has tightened up a bit.

EMPLOYMENT RELATED PRACTICES EXCLUSION (SCORE 5-1 AGAINST EXCLUSION)

The Employment Related Practices exclusions cited in the decisions, with some limited differences, preclude coverage in pertinent part for “‘Personal and advertising injury’ … arising out of any … Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, or discrimination directed at that person; … .”

There has been one new decision since our last article, and it’s another incomplete pass for insurers. In Cont’l W. Ins. v. Cheese Merchants of Am., LLC ^[2], a federal district court for the Northern District of Illinois once again concluded that the exclusion does not preclude coverage for BIPA claims. According to the Cheese Merchants court, although the underlying lawsuit involved workers who were required to clock in and clock out by scanning the backs of their hands, it did not concern the type of employment related practice contemplated by the exclusion. The exclusion instead concerns examples that speak to “mistreatment targeted at a specific employee” and not a “generally applicable workplace policy that applied to everyone”.^[3]

VIOLATION OF STATUTE EXCLUSIONS (SCORE: 5-2 AGAINST EXCLUSION)

The decisions have addressed differing versions of this exclusion, with differing titles. One version precludes coverage for personal and advertising injury arising of any action or omission that violates or is alleged to violate the Telephone Consumer Protection Act (“TCPA”), the CAN-SPAM Act of 2003, or “any statute, ordinance or regulation other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.”

Another version likewise precludes coverage for violations of the TCPA and CAN-SPAM Act of 2003, but also expands the exclusion to encompass violations of the Fair Credit Reporting Act (“FCRA”) and its amendment, the Fair and Accurate Credit Transactions Act (“FACTA”), as well as “any federal, state or local statute, ordinance or regulation (other than the TCPA, CAN-SPAM Act of 2003, or FCRA) that addresses, prohibits or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”

In a new decision since our last article, the Northern District of Illinois handed off its first win for an insurer on this exclusion. The only previous victory for an insurer had been an away game before a federal district court in North Carolina. In its recent opinion, the Cheese Merchants court examined an exclusion of the second type described above, concluding that the exclusion’s last section extends its reach to encompass BIPA.^[4] The court’s position is based on general contract interpretation principles permitting a broad reading in light of the dissimilarity of the specifically identified acts.^[5]

ACCESS OR DISCLOSURE EXCLUSION (SCORE: 3-3 AS TO EXCLUSION)

The Access or Disclosure Exclusion bars coverage for “‘Personal and advertising injury’ arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”

The only decision on this topic since our last article went insurers’ way, tying the score at 3-3, or one field goal apiece for insurers and policyholders. Packers fans may not be surprised to learn that it was once again the Cheese Merchants decision, with the court focusing its analysis on the broad word “any” in “any access to or disclosure of” information.^[6] In the court’s view, the worker hand scans at issue inherently include “personal information”^[7] and also are sufficiently similar to the “health information” entry in the exclusion’s list of examples.^[8] In reaching its decision, the court did go out of its way to stress that while the exclusion is broad, it is not so broad as to, as asserted by the policyholder, render coverage “illusory”.^[9]

COVERAGE DECISIONS UNDER OTHER LINES OF COVERAGE

As in our prior article, we note a new decision under a non-CGL policy. In a decision pertaining to an employment practices liability (“EPL”) policy, the Northern District of Illinois in Church Mut. Ins. Co. v. Prairie Village Supportive Living, LLC, et al.^[10] upheld an exclusion entitled “Violations of Laws Applicable to Employers.” This exclusion bars coverage for, among other things, a claim concerning an insured’s “responsibilities or duties required by … federal, state, or local statues, rules, or regulations ….” but restores coverage for claims arising out of several specific laws or other laws similar to those specified laws. The court considered the specified laws in the exception to the exclusion, assessed that they each dealt with “discrimination in one form or another”, and determined that “BIPA is categorically different than the enumerated exempted statutes.” The exclusion therefore, according to the court, precludes coverage for this policyholder.^[11]

WATCHING THE GAME FILM

As plays are completed and the ball advances for one party or the other in the overall positioning of BIPA coverage decisions, it becomes more likely that the prevailing party will see a red replay flag thrown by the other party. Rather than taking a knee, the party unsatisfied with a lower court’s decision may choose to seek appellate review in order to see if the ruling on the field stands. Fans of these coverage issues will have to keep their eyes open for further judicial developments.

These coverage disputes can concern significant amounts stemming from BIPA’s statutory damages of $1,000 for each negligent violation and $5,000 for each intentional violation, along with attorneys’ fees and costs. Also, as of early December 2022, teams on both sides of the gridiron are waiting to see how the Illinois Supreme Court decides several BIPA questions, including whether an entity runs afoul of BIPA each time the entity allegedly collects or disclosures an individual’s biometric information.

In the meantime, new and ongoing coverage cases are on the bench, providing additional opportunities for courts to consider the facts of BIPA-related claims and the specific language of subject insurance policies.

With the stakes involved, the best BIPA defense remains a good offense. Entities are encouraged to manage their BIPA-related risks from the coin flip. Entities should develop information consent, collection, use, retention, and disposal policies carefully and with an understanding of BIPA compliance. Entities that avoid turnovers are less likely to have an insurance claim at all or to get involved in a dispute over a claim.

 ***