Seventh Circuit Ruling on Insurance Coverage for Biometric Privacy Class Actions Strays From Trend Protecting Policyholders
In light of the continuing barrage of lawsuits brought under the Illinois Biometric Information Privacy Act (BIPA), companies should be able to rely on their general liability (GL) insurers to defend and indemnify them from potential BIPA liability.
For years, the Illinois Supreme Court and the U.S. Court of Appeals for the Seventh Circuit were in lockstep in protecting corporate policyholders from overreaching insurers looking to avoid BIPA liability.
Recently, however, the Seventh Circuit strayed from that trend in Thermoflex Waukegan, LLC v. Mitsui Sumitomo Insurance USA, Inc., No. 23-1521, 2024 WL 2237977 (7th Cir. May 17, 2024), ruling on the applicability of several GL policy exclusions to BIPA lawsuits with mixed results for policyholders. Ultimately, the court held that the insurer had to defend its policyholder against a BIPA action under its umbrella policy, adopting a policyholder-favorable interpretation of an exclusion that has been subject to differing interpretations in Illinois state and federal courts.
The Seventh Circuit, however, refused to find coverage under the insurer's GL and excess policies. In so doing, the court broke new ground by disagreeing with the majority of lower courts and holding that the policies' "Access or Disclosure Exclusion" applied.
The Case
In Thermoflex, an auto accessory company sought coverage under its GL, primary, excess, and umbrella insurance policies for a class-action lawsuit. The lawsuit alleged that by requiring employees to clock in and out of work using their handprints without the workers' written consent and using a third party to process the data, the company violated BIPA. After notifying the insurer of the lawsuit, the insurer refused to defend the company, asserting that the company's insurance policies did not cover BIPA suits.
In arguing against its duty to defend under its primary policy, the insurer pointed to several exclusions, including for claims "arising out of any access to or disclosure of any person's or organization's confidential or personal information"—often called the "Access or Disclosure Exclusion." The Seventh Circuit held that the Access or Disclosure Exclusion applies to BIPA suits—a significant blow to Illinois companies facing exposure to BIPA suits.
The court, however, also held that the insurer had a duty to defend the company under its umbrella coverage, rejecting the insurer's arguments that the policy's "Statutory Violation," "Data Breach Liability," or "Employment-Related Practices" exclusions applied to BIPA.
Access or Disclosure Exclusion—A Departure From the Weight of Authority
Prior to Thermoflex, Illinois federal courts were split on whether the Access or Disclosure Exclusion applies to BIPA claims. As mentioned, a standard Access or Disclosure Exclusion provides that an insurance policy
"does not apply to [claims] arising out of any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information."
Until now, nearly every Illinois federal court to review this exclusion correctly held that it does not apply to BIPA suits because the "other type of nonpublic information" catch-all, when read in context with the rest of the list, is not broad enough to include biometric information.[1] Instead, the exclusion targets certain kinds of confidential or personal information that differ from the biometric identifiers protected under BIPA.[2] At best, there is more than one reasonable interpretation of the exclusion, rendering it ambiguous, and in Illinois, ambiguities in an insurance policy are resolved in favor of the insured.[3] Not all judges, however, had been in accord, including Judge John Lee, who is now on the Seventh Circuit.[4]
Notwithstanding the weight of authority and without discussing the reasoning in the majority-rule decisions, the Seventh Circuit adopted the minority view and held that the Access and Disclosure Exclusion applies to BIPA suits. The Thermoflex court instead accepted Judge Lee's reasoning that the ordinary understanding of "confidential or personal information" includes biometric identifiers. This analysis, however, ignored previous rulings following Illinois' rule that policy exclusions must be read narrowly and only apply where they are clear, definite, and specific.
The Seventh Circuit's decision to depart from the majority of district courts is problematic for Illinois policyholders, as it opens the door to insurers more firmly denying coverage under GL policies based on the Access or Disclosure Exclusion. It will now require Illinois Supreme Court intervention for policyholders to obtain the BIPA coverage they bargained for.
Exclusions for Statutory Violations, Data Breach Liability, and Employment-Related Practices
After foreclosing coverage under the GL and excess policies, the court turned to the company's umbrella policy. The court acknowledged that the umbrella coverage lacked an Access or Disclosure Exclusion and instead focused on three other exclusions. The court correctly held that none of these exclusions apply to BIPA suits, and the insurer had a duty to defend the company under its umbrella coverage.
The Broad Statutory Violation Exclusion Does Not Apply to BIPA
Building on its prior holding in Citizens Ins. Co. of Am. V. Wynndalco Enterprises, LLC, et al., the Seventh Circuit held that even a broad interpretation of the Statutory Violation Exclusion does not apply to BIPA suits. This exclusion in the company's policy blocks coverage for matters arising from violations of:
"(1) the Telephone Consumer Protection Act (TCPA), including any amendments thereto, and any similar federal, state, or local laws, ordinances, statutes, or regulations;
(2) the CAN-SPAM ACT of 2003, including any amendments thereto, and any similar federal, state, or local laws, ordinances, statutes, or regulations.
(3) the Fair Credit Reporting Act (FCRA), including any amendments thereto, such as the Fair and Accurate Credit Transaction Act (FACTA), and any similar federal, state, or local laws, ordinances, statutes, or regulations; or
(4) any other federal, state, or local law, regulation, statute, or ordinance that restricts, prohibits, or otherwise pertains to the collecting, communicating, recording, printing, transmitting, sending, disposal, or distribution of material or information."
Before turning to its analysis, the court recognized a split between federal and state authority. While the federal court in Wynndalco ruled the Statutory Exclusion does not apply to BIPA suits, an Illinois appellate court subsequently disagreed and held that such an exclusion does bar coverage. Nat'l Fire Ins. Co. of Hartford & Cont'l Ins. Co. v. Visual Pak Co., Inc., 2023 IL App (1st) 221160.
However, instead of interpreting the present exclusion in light of Wynndalco or Visual Pak, the court instead referenced the reasoning of an Illinois Supreme Court case, which held that a similar exclusion did not apply to BIPA. West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978. The Seventh Circuit adopted the holding in Krishna which, following rules of policy construction, found that the Statutory Exclusion is limited to statutes that are like those enumerated in the clause (i.e., TCPA and the CAN-SPAM ACT)—and BIPA is unlike those statutes. Thus, the Thermoflex court held that the Statutory Violation Exclusion in Thermoflex's umbrella policy similarly does not apply to BIPA.
Significantly, the Thermoflex decision extended its previous ruling in Wynndalco to an even broader Statutory Violation Exclusion of the kind the Illinois appellate court found applicable in Visual Pak. This ruling indicates the Seventh Circuit believes Visual Pak was wrongly decided. The Illinois Supreme Court, however, recently did not grant review of that case.
It is worth noting that the reasoning that led to this holding—interpreting the catch-all provision in the context of surrounding words—is the same approach that the Seventh Circuit declined to employ in its earlier analysis of the Access or Disclosure Exclusion.
The Data Breach Liability Exclusion Does Not Apply to BIPA
The insurer in Thermoflex also argued that BIPA claims are barred by the Data Breach Liability exclusion, which states the policy does not cover:
"1) … [loss] arising out of disclosure of or access to private or confidential information belonging to any person or organization; or
2) any loss, cost, expense, or 'damages' arising out of damage to, corruption of, loss of use or function of, or inability to access, change, or manipulate 'data records'."
The court held that this exclusion also does not apply to BIPA because the exclusion concerns outside parties disclosing data from the insured, whereas BIPA involves the disclosure of data to the insured.
The Employment-Related Practice Exclusion Does Not Apply to BIPA
Finally, the court considered the applicability of the Employment-Related Practice (ERP) Exclusion, which has been deemed inapplicable to BIPA in the vast majority of previous lower court decisions. That exclusion bars, in relevant part, coverage of injury arising out of:
"c) coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, malicious prosecution, discrimination, sexual misconduct, or other employment-related practices, policies, acts, or omissions directed towards that person[.]"
The court acknowledged that collecting and processing handprints in the course of clocking in and out of work is an "employment-related practice" but nonetheless held that the exclusion did not apply to the BIPA suit because it is a general practice not "directed toward" any given employee.
Conclusion
The Seventh Circuit's decision in Thermoflex is a bit of an enigma. Businesses with contacts in Illinois can have confidence that other exclusions in their insurance policies—Statutory Violation, Data Breach Liability, and ERP—will not eliminate coverage for BIPA claims. But the Seventh Circuit's ruling as to the Access or Disclosure exclusion will create new challenges for corporate policyholders facing exposure to BIPA liability. Policyholders will now have to wait in hopes that the Illinois Supreme Court will take action and clarify that both the Access or Disclosure Exclusion and Statutory Violation Exclusion are inapplicable to BIPA suits. Given the Illinois Supreme Court's recent puzzling decision not to review Visual Pak, it seems that policyholders and insurers alike will now live with increased uncertainty.
Endnotes
[1] See Am. Fam. Mut. Ins. Co. v. Caremel, Inc., No. 20 C 637, 2022 WL 79868, at *3 (N.D. Ill. Jan. 7, 2022).
[2] See Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, 588 F. Supp. 3d 845, 855 (N.D. Ill. 2022).
[3] Soc'y Ins. v. Cermak Produce No. 11, Inc., 684 F. Supp. 3d 739, 746 (N.D. Ill. 2023).
[4] Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., 595 F. Supp. 3d 677 (N.D. Ill. 2022), aff'd, No. 23-1521, 2024 WL 2237977 (7th Cir. May 17, 2024).
© 2024 Perkins Coie LLP