BIPA: Court Finds Limited Coverage for Company’s Claimed Violation
By Don R. Sampen, published, Chicago Daily Law Bulletin, May 23, 2023
The 1st District Appellate Court recently construed an insurance policy’s cyber coverage provisions and found a duty to defend an insured for one alleged violation of the Illinois Biometric Information Privacy Act (BIPA) pertaining to the collection of fingerprints. The policy, however, provided no coverage for related claims.
The case is Remprex, LLC v. Certain Underwriters at Lloyd’s London, 2023 IL App (1st) 211097 (March 31). The insured, Remprex, was represented by Taft Stettinius & Hollister LLP of Chicago. Simpson Thacher & Bartlett LLP of New York represented the insurer, Lloyd’s.
Remprex provided automated gate systems services at facilities owned by BNSF Railway Company. In connection with those services, BNSF used Remprex technology to collect biometric information, including fingerprints, to identify personnel.
In April 2019, a truck driver initiated a class-action lawsuit against BNSF alleging that BNSF collected and stored biometric information in a negligent manner in violation of BIPA, 740 ILCS 14/1, et seq.
BIPA regulates the collection and storage of so-called biometric information, such as fingerprints, eye scans, facial recognition, etc., and also provides a private right of action for violations.
Remprex did not become a party to the BNSF lawsuit, although it did attend mediation sessions and was subpoenaed for documents and depositions. A jury ultimately awarded damages against BNSF in 2022.
In July 2019, the same truck driver filed a second class-action lawsuit against Remprex and affiliates of Canadian National Railway Company, making similar allegations against Remprex as were brought against BNSF. Remprex was able to obtain a voluntary dismissal of the CN lawsuit by November 2019.
Lloyd’s issued a “Beazley Breach Response” policy to Remprex that provided cyber coverage for, among other things, “data and network liability” and “media liability.” The former insured against data and security breaches involving personally identifiable information. The latter involved coverage for violation of an individual’s right of privacy “in the course of creating media material,” including the “public” disclosure of private facts.
Remprex first notified Lloyd’s of litigation in June 2019 and sought a defense under the relevant sections of the policy. Lloyd’s denied coverage, and Remprex brought an instant lawsuit in August 2020. Its complaint sought a declaration of Lloyd’s obligation to defend, and damages for breach of contract, bad faith, consumer fraud and common law fraud regarding both the BNSF and CN lawsuits.
In response, Lloyd’s filed a motion to dismiss, which the trial court granted. Remprex took this appeal.
No Coverage — BNSF Lawsuit
In an opinion by Justice Sharon Oden Johnson, the 1st District mostly affirmed. She noted initially that the policy contained a choice-of-law provision designating New York law as governing the policy. Her opinion thus relied mostly on New York case law.
Regarding the BNSF lawsuit, she noted first and foremost that Remprex was never named a party and no claim was ever made against it. While Remprex participated in discovery and mediation, none of its activities rose to the level of being a named party.
Johnson observed, moreover, that Remprex never had written consent from Lloyd’s for its litigation activities, which was a condition for the reimbursement of any litigation expenses.
In addition, while the complaint made allegations against BNSF and “authorized vendors,” which included Remprex, such a general reference did not constitute a demand for money. Also, even though BNSF sent a letter to Remprex requesting indemnification, the policy excluded any contractual liability with respect to the media liability coverage.
As for Remprex’s specific actions in response to the subpoena with which it was served, Johnson said Remprex did not receive the subpoena until after Lloyd’s denied coverage, and it never submitted the subpoena to Lloyd’s for coverage. Hence, no aspect of the BNSF lawsuit was brought within the coverage of Lloyd’s policy.
Duty to Defend — CN Lawsuit
With respect to the CN lawsuit, Remprex invoked media liability coverage by focusing on the requirement of “public” dissemination of information. It maintained the policy did not define that term, and the policy therefore was ambiguous. The company contended, moreover, that “public” could apply to information shared between itself and one other entity, meaning CN.
Johnson disagreed. She wrote that dissemination of information to the counterparty of the agreement to collect the information did not constitute “public” disclosure. Rather under a common dictionary definition, “public” meant exposure to general view such as could give rise to harm.
On the other hand, Johnson agreed with Remprex that, to the extent the complaint alleged that Remprex unlawfully collected the plaintiffs’ fingerprints, coverage would exist. Coverage existed as a form of “media liability” for violating an individual’s right to privacy during the “course of creating media material.”
Thus, Johnson found the trial court erred in denying coverage for litigation expenses Remprex incurred in defending allegations that it unlawfully collected fingerprints.
She found no coverage under the “data and network liability” provisions of the policy, since the named defendants were, once again, alleged only to have collected and shared the data with one another in violation of BIPA. The relevant policy language applied only to third-party access and public disclosure of the personal information.
Johnson agreed with the trial court that the bad faith, consumer fraud, and common law fraud counts were properly dismissed.
The court therefore affirmed the dismissal in Lloyd’s favor of all claims with the exception of Remprex’s claim for expenses incurred in defending the CN lawsuit.
- A policy providing coverage for wrongful disclosure of information “to the public” does not cover the sharing of information between two parties to an agreement to collect the information.
- A policy providing coverage for violating an individual’s right to privacy during the “course of creating media material” may provide coverage for the unlawful collection of personally identifiable information.