Statutory Violation Exclusion Ambiguous – Does Not Bar Coverage

The United States District Court for the Northern District of Illinois, in an opinion written by Judge Lee, applying Illinois law, held that coverage for alleged violations of the Illinois Biometric Information Privacy Act (“BIPA”) was not unambiguously precluded by a Statutory Violation exclusion in a business liability insurance policy. The policy at issue provides coverage for personal and advertising injury, defined in part as “injury… arising out of… oral or written publication, in any manner, of material that violates a person’s right of privacy.”

In the underlying litigation, Wynndalco Enterprises, LLC, was sued for allegedly selling access to an artificial intelligence database containing facial scans scraped from social media and content sharing platforms. The insurer, Citizens Insurance Company of America (“Citizens”), denied coverage, citing an exclusion for “Distribution of Material in Violation of Statutes”, which excludes coverage for injury arising out of violations of the Telephone Consumer Protection Act (“TCPA”), the CAN-SPAM Act of 2003, the Fair Credit Reporting Act (“FCRA”), the Fair and Accurate Credit Transaction Act (“FACTA”), or “any other laws, statutes… that address, prohibit, or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”

The Supreme Court of Illinois recently held that a “nearly identical provision” was ambiguous (see Insurance Bytes summary). Here, the District Court found no reason to distinguish the provision at issue from that examined by the Supreme Court of Illinois.

Furthermore, the District Court held that BIPA did not share a common characteristic to the four statutes listed in the exclusion. Though they all are concerned with privacy, the TCPA and CAN-SPAM Act protect individuals from receiving unauthorized communications, while FCRA, FACTA, and BIPA regulate how entities manage information that individuals give away (such as biometric information). Because two senses of privacy existed within the exclusion, the District Court determined it was ambiguous and declined to extend the exclusion to preclude coverage for allegations of BIPA violations. As such, the District Court ruled that the underlying lawsuits triggered Citizens’ duty to defend Wynndalco. Citizens Ins. Co. of Am. v. Wynndalco Enters., LLC, No. 20 C 3873, 2022 WL 952534 (N.D. Ill. Mar. 30, 2022).

N.D. Ill. / Notice: No Coverage for Claim Made on Last Day of Policy Period Because Insured Unaware

The United States District Court for the Northern District of Illinois, in an opinion written by Judge Kennelly, applying Illinois law, granted an insurer’s motion for judgment on the pleadings, holding no coverage for a lawsuit alleging Illinois Biometric Information Privacy Act (“BIPA”) violations that was filed on the last day of the policy period because the insured, Lewis Produce Market No. 2, Inc. (“Market 2”), was unaware of the “claim” until after the policy period ended.

Philadelphia Indemnity Insurance Co. (“Philadelphia”) issued two successive liability insurance policies to Market 2, but only the first of the two provided coverage for lawsuits alleging privacy violations under BIPA. The end of the first policy period was at midnight on February 1, 2021.

Lewis Produce Market Inc. (“Market 1”), a distinct Illinois corporation separate from Market 2, but with near identical ownership and operations, was sued late in the day on February 1, 2021, for BIPA violations. Market 2 first learned of the BIPA lawsuit on February 8, 2021, and informed Philadelphia of the “claim or potential claim” on February 19, 2021. On July 16, 2021, the underlying plaintiff amended his complaint and named Market 2 as the sole defendant and dropped Market 1.

The relevant Philadelphia policy provisions include: (1) “[t]he Underwriter shall pay on behalf of the Insured, Loss from Claims made against the Insured during the Policy Period”; (2) Claim is defined to include “a written demand for monetary or non-monetary relief” or “a judicial or civil proceeding commenced by the service of a complaint or similar pleading”; and (3) “[a] Claim shall be considered made when an Insured first receives notice of the Claim.”

Thus, according to the District Court, the claim would be covered by the policy so long as Market 2 received notice of the lawsuit during the coverage period. However, the complaint alleges, undisputed by Market 2, that Market 2 did not receive notice of the lawsuit until February 8, 2021, days after the coverage period ended. Therefore, according to the policy language, the claim was not made until after the policy period. The Court rejected Market 2’s argument that the claim was made during the policy period because it had constructive notice of the lawsuit once it was filed, on February 1, 2020, even if it did not have actual knowledge. The Court explained that such an interpretation would contravene the plain language of the policy. The Court concluded that “the policy means what it says; it requires the insured to ‘receive’ actual notice of the matter giving rise to the claim.”  Although the District Court acknowledged the practical difficulties involved when a lawsuit is filed late on the last day of a policy period, it reasoned that the policy should not be interpreted to provide greater coverage than the parties bargained for. As such, the District Court concluded there was no coverage and granted Philadelphia’s motion for judgment on the pleadings. Philadelphia Indem. Ins. Co. v. Lewis Produce Mkt. No. 2 Inc., 2022 WL 1045640 (N.D. Ill. Apr. 7, 2022).

N.D. Ill. / BIPA: Three More Recent Opinions

The Northern District of Illinois issued three rulings regarding insurance coverage for alleged violations of the Illinois Biometric Information Privacy Act. In each decision, the Court considered certain exclusions relied upon by the respective insurers to deny coverage: an Employment-Related Practices (“ERP”) exclusion, a Distribution of Material in Violation of Statutes (“Statutory Violation”) exclusion, and Access/Disclosure exclusion. Each opinion treated the arguments differently.

Regarding the ERP exclusion, all three of the courts ruled in favor of the insured, but for distinct reasons. Each of the courts set out to determine whether the practice at issue (that is, collecting employees’ handprints or fingerprints on time clocks) fell within an exclusion for claims of personal and advertising injury arising out of any (a) refusal to employ that person; (b) termination of that person’s employment; or (c) employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, or discrimination directed at that person. The Carnagio court held that the list related to actions involving the employee’s performance, while the Tony’s Finer Foods court held that the list covers a “subset of claims brought by employees.” In both cases, the collection of fingerprints for clock-in and clock-out was too dissimilar from those examples such that the exclusion was found not to apply. Thermoflex, finally, found the provision was ambiguous and held for the insured for that reason.

Regarding the Statutory Violation exclusion considered in two of the cases, both courts ruled in favor of the insured. The Thermoflex and Carnagio courts both relied upon recent Illinois precedent, in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 WL 2005464 (May 20, 2021) (see Insurance Bytes summary) in holding that BIPA is dissimilar to the statutes mentioned in the exclusion—the Telephone Consumer Protection Act, the CAN-SPAM Act of 2003, and the Fair Credit Reporting Act—and thus not within the ambit of the exclusion.

Lastly, the Access/Disclosure exclusion was considered in two cases, with the courts arriving at opposite results. The exclusion in both cases precludes coverage for any personal and advertising injury “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” However, the Thermoflex court, noting that BIPA itself distinguishes between “biometric identifiers” and “confidential and sensitive information” held that it was ambiguous whether handprints fell into the exclusion (thus ruling for the insured), while the Carnagio court was willing to make a determination: biometric data protected by BIPA is within a category of information which individuals “have a heightened interest in keeping from third-parties or the public at large.” Thus, the Carnagio court held that the Access/Disclosure exclusion does exclude coverage for allegations of BIPA violations, coming to a different conclusion than the Thermoflex court did.

Cases discussed: Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022); Am. Family Mut., Ins. Co., S.I. v. Carnagio Enters., Inc., 2022 WL 952533 (N.D. Ill. Mar. 30, 2022); State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enters., Inc., 2022 WL 683688 (N.D. Ill. Mar. 8, 2022)