Published on:

The Duty to Defend a Privacy Claim Arises from Even Limited Publication of Biometric Identifiers

Digital fingerprint, illustrationDo general liability policies provide coverage for limited disclosures of biometric data, such as fingerprints? The Illinois Supreme Court has concluded that they do.

In a unanimous decision, the Illinois Supreme Court has held that a general liability insurer must defend an insured accused of violating the Illinois Biometric Information Privacy Act (BIPA). The case arose from a tanning salon’s handling of member fingerprints. According to a class action complaint filed against Krishna Schaumburg Tan, Inc., a franchisee of L.A. Tan, the salon violated BIPA when it saved and then disclosed member fingerprints to an out-of-state third party without a written release required by the Act. BIPA regulates the retention, collection, disclosure and destruction of “biometric identifier(s),” such as fingerprints, iris scans, facial scans and voice prints, and creates a private right of action for violations of the Act, which was the basis of the class action lawsuit.

After Krishna was sued, the salon tendered the lawsuit to its insurer, West Bend Mutual Insurance Co., asserting coverage under a business insurance policy. West Bend defended Krishna subject to a reservation of rights and filed a declaratory judgment action seeking a determination that it did not owe the salon a duty to defend. The trial court ruled against West Bend on summary judgment, holding that the insurer owed the salon a duty to defend. The appellate court affirmed, and on May 20, 2021, so did the Illinois Supreme Court. The high court’s decision is the first it has issued finding that a duty to defend against BIPA claims arises from a business insurance policy.

As is common, the policy at issue covered damages the insured became liable to pay “because of ‘bodily injury,’ ‘property damage,’ ‘personal injury’ or ‘advertising injury.’” The parties disputed whether coverage was provided for Krishna’s alleged violation of BIPA under the policy’s advertising or personal injury provisions and whether coverage was prohibited by a violation of statutes exclusion.

As is also common, a threshold requirement for both advertising injury and personal injury coverage under the policy was the “oral or written publication” of information that violates a “right of privacy.” The parties disputed the scope of the term “publication” as used in these definitions, with each party citing the same prior Illinois Supreme Court decision, Valley Forge Insurance Co. v. Swiderski Electronics, Inc., which addressed the coverage afforded to unsolicited facsimile advertisements, in support of its own interpretation of that policy term. According to West Bend, the Illinois Supreme Court interpreted the term “publication” to mean “communication to the public at large.” West Bend argued that the disclosure of fingerprints to a single party could not constitute “communication to the public at large,” and, therefore, the personal injury and advertising injury coverages were inapplicable to the BIPA class action claims brought against Krishna. Krishna argued that West Bend misinterpreted the decision, and the Illinois Supreme Court acknowledged that as an undefined policy term “publication” was to be interpreted according to an ordinary person’s understanding of dictionary definitions. Citing the appellate decision in Valley Forge and decisions of non-Illinois courts interpreting the term, Krishna argued that “publication” encompassed the communication of material, regardless of whether it is communicated to a third party, as well as wrongful disclosure to a third party.

Alternatively, West Bend argued that the policy’s violation of statutes exclusion barred coverage. That exclusion provides the policy will not cover injury “arising directly or indirectly out of any action or omission that violates or is alleged to violate” enumerated inapplicable statutes or “[a]ny statute, ordinance or regulation other than [the enumerated statutes] that prohibits or limits the sending, transmitting, communicating or distribution of material or information.” Krishna argued that the exclusion was inapplicable.

The trial court held that the policy covered Krishna’s disclosure of fingerprints based on the “plain, ordinary, and popular meaning” of the term “publication.” According to the court, in the Valley Forge decision disputed by the parties, the Illinois Supreme Court affirmed the appellate court’s decision, which interpreted the term “publication” and held that it did not require communication to a third party. On this basis, the court held that “publication” “simply means the dissemination of information.” The court then interpreted the violation of statutes exclusion and held that it only barred coverage for injury arising from statutes that were like those enumerated in the policy. Those statutes—the Telephone Consumer Protection Act of 1991 and the CAN-SPAM Act of 2003—“regulate methods of sending information.” The Illinois Privacy Act had a different purpose, stated in the statute itself, which was “regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” The exclusion, therefore, was inapplicable to the BIPA, and West Bend had a duty to defend.

The appellate court affirmed based on essentially the same reasoning, finding that “common understandings and dictionary definitions” of the term “publication” encompassed both limited and broad sharing of information, and that the violation of statutes exclusion only “applies to statutes that govern certain methods of communication, i.e., e-mails, faxes, and phone calls.”

Now, the Illinois Supreme Court has affirmed, and the decision is final. The court first held that it was not bound by an interpretation of the term “publication” included in Valley Forge as any interpretation of the term “publication” in that decision was dictum and not binding precedent given that the appellate court’s interpretation of the term had not been appealed. The court then relied, for its interpretation of the term, on definitions of “publication” provided by “various dictionaries, treatises on insurance law and the law of privacy, and the Restatement of the Law of Torts.” Each source, the court held, defined “publication” as encompassing both communication to a single party and communication to the public at large. Because the term encompassed two definitions, the court held that it was ambiguous and had to be interpreted against the insurer that drafted the policy. On that basis, the court “construe[d] the term publication in West Bend’s policies to include a communication with a single party.” The court concluded that the claims in the class action complaint were within or potentially within the reference to “publication” in the policy’s personal injury definition.

The court then considered the meaning of a second phrase from the definition: “right of privacy.” The court noted the Illinois Privacy Act protected a “secrecy interest,” which was “the right of an individual to keep his or her personal identifying information like fingerprints secret.” That secrecy interest was a right of privacy, and the court held that the allegations in the class action complaint fell within or potentially fell within the phrase “right of privacy” as used in the West Bend policy.

Finally, the court found the violation of statutes exclusion did not bar coverage. The title of the exclusion—“Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information”—the court pointed out, references methods of communication. The two statutes identified in the exclusion regulate methods of communication, specifically emails, faxes, and telephone calls. The exclusion applies to statutes “other than” these statutes, but applying rules of statutory construction, the court held that the statutes referenced in this provision must be “of the same general kind that regulate methods of communication like [the enumerated statutes].” BIPA does not regulate methods of communication and “is not a statute of the same kind,” and for that reason, the exclusion does not bar coverage.

With the Krishna v. West Bend decision, the Illinois Supreme Court has determined that business insurance policies with personal injury or advertising injury coverage comparable to that at issue in the case gives rise to a duty to defend claims asserted under BIPA. Given that the use of biometric information such as fingerprints, iris scans, facial scans, and voice prints is becoming more and more common, the number of lawsuits brought for the unauthorized use of private information and for the violation of privacy laws—including class action lawsuits—is likely to increase significantly. The Illinois Supreme Court’s decision gives insureds a basis to seek a defense of liability from their general liability insurers, and the decision is likely to be at the forefront of future coverage litigation as other state courts grapple with the coverage afforded by business insurance policies for privacy claims.

Policyholders should keep Krishna in mind when analyzing business insurance policies for potential coverage for privacy claims, deciding when and how to submit a claim, and drafting pleadings or other dispute-related documents. Among other things, personal injury and advertising injury coverage provisions and violation of statutes exclusions should be scrutinized in light of the decision, with the assistance of competent coverage counsel. Policyholders should also keep an eye out for specific BIPA exclusions in future policies, and negotiate to include that coverage if possible to the extent they are exposed to risk of those claims.