“Access or Disclosure” Exclusion Precludes Coverage for BIPA Lawsuits, But “Violation of Laws,” “Data Breach” and “ERP” Exclusions Do Not 

The United States Court of Appeals for the Seventh Circuit, in an opinion written by Judge Easterbook, affirmed two lower court decisions concerning the scope of an insurer’s duty to defend its insured against allegations of the insured’s violations of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”). Specifically, the Seventh Circuit affirmed the decision by Judge Lee that the “Access or Disclosure” exclusion contained in a commercial general liability primary policy precluded the insurer’s duty to defend, while affirming a decision by Judge Durkin that three other exclusions found in an umbrella policy did not eliminate the duty to defend. 

The insured’s primary policy contained an exclusion for any claims “arising out of access to or disclosure of any person’s or organization’s confidential information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information, or any other type of nonpublic information.” The Seventh Circuit found this “Access or Disclosure” exclusion to be both sufficiently unambiguous and broad so as to exempt coverage for BIPA claims. Specifically: the ordinary understanding of “confidential or personal information” includes handprints and other biometric identifiers usable for identity theft. Accordingly, there was no duty to defend under the primary policy (and the follow-form excess policy). 

The umbrella policy, however, did not contain the same exclusion. The Seventh Circuit examined three other exclusions and found that none of them barred coverage for BIPA claims. First, the “Statutory Violation Exclusion” barred coverage for claims arising out of violations of the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act of 2003, the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transaction Act (FACTA), and any other law that “restricts, prohibits, or otherwise pertains to the collecting, communicating, recording, printing, transmitting, sending, disposal, or distribution of material or information.” The Seventh Circuit looked to the Illinois Supreme Court decision in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (and set aside similar earlier decisions by the Seventh Circuit and the Illinois Appellate Court), for the proposition that BIPA is too dissimilar to TCPA, CAN-SPAM, FRCA, and FACTA to be captured by the “catch-all” provision. Thus, the exclusion did not bar coverage for BIPA claims. 

Next, the Seventh Circuit reviewed a “Data Breach Liability” exclusion. By referencing the caption of the exclusion itself, the Seventh Circuit understood this exclusion to apply specifically to situations in which hackers obtain access to personal information. Because the BIPA claims do not allege a data breach and exposure of biometric information to hackers, the “Data Breach Liability” exclusion was inapplicable. 

Finally, the Seventh Circuit analyzed an “Employment-Related Practices” exclusion which barred coverage arising out, among other acts, “employment-related practices, policies, acts, or omissions directed toward that person.” The Seventh Circuit determined that scanning of biometric data at the workplace is not “directed towards” any given employee but is instead just a term or condition of employment. The exclusion, the Seventh Circuit found, is not concerned with such terms and conditions of employment. 

As a result of the analysis, the Seventh Circuit held that the umbrella policy at issue imposes upon the insurer a duty to defend. Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., 102 F. 4th 438 (7th Cir. May 17, 2024).