BIPA: Court Finds Limited Coverage for Company’s Claimed Violation

May 23, 2023 / News / Writing and Speaking

By Don R. Sampen, published, Chicago Daily Law Bulletin, May 23, 2023

The 1st District Appellate Court recently construed an insurance policy’s cyber coverage provisions and found a duty to defend an insured for one alleged violation of the Illinois Biometric Information Privacy Act (BIPA) pertaining to the collection of fingerprints. The policy, however, provided no coverage for related claims.

The case is Remprex, LLC v. Certain Underwriters at Lloyd’s London, 2023 IL App (1st) 211097 (March 31). The insured, Remprex, was represented by Taft Stettinius & Hollister LLP of Chicago. Simpson Thacher & Bartlett LLP of New York represented the insurer, Lloyd’s.

Remprex provided automated gate systems services at facilities owned by BNSF Railway Company. In connection with those services, BNSF used Remprex technology to collect biometric information, including fingerprints, to identify personnel.

In April 2019, a truck driver initiated a class-action lawsuit against BNSF alleging that BNSF collected and stored biometric information in a negligent manner in violation of BIPA, 740 ILCS 14/1, et seq.

BIPA regulates the collection and storage of so-called biometric information, such as fingerprints, eye scans, facial recognition, etc., and also provides a private right of action for violations.

Remprex did not become a party to the BNSF lawsuit, although it did attend mediation sessions and was subpoenaed for documents and depositions. A jury ultimately awarded damages against BNSF in 2022.

In July 2019, the same truck driver filed a second class-action lawsuit against Remprex and affiliates of Canadian National Railway Company, making similar allegations against Remprex as were brought against BNSF. Remprex was able to obtain a voluntary dismissal of the CN lawsuit by November 2019.

Lloyd’s issued a “Beazley Breach Response” policy to Remprex that provided cyber coverage for, among other things, “data and network liability” and “media liability.” The former insured against data and security breaches involving personally identifiable information. The latter involved coverage for violation of an individual’s right of privacy “in the course of creating media material,” including the “public” disclosure of private facts.

Remprex first notified Lloyd’s of litigation in June 2019 and sought a defense under the relevant sections of the policy. Lloyd’s denied coverage, and Remprex brought an instant lawsuit in August 2020. Its complaint sought a declaration of Lloyd’s obligation to defend, and damages for breach of contract, bad faith, consumer fraud and common law fraud regarding both the BNSF and CN lawsuits.

In response, Lloyd’s filed a motion to dismiss, which the trial court granted. Remprex took this appeal.

No Coverage — BNSF Lawsuit

In an opinion by Justice Sharon Oden Johnson, the 1st District mostly affirmed. She noted initially that the policy contained a choice-of-law provision designating New York law as governing the policy. Her opinion thus relied mostly on New York case law.

Regarding the BNSF lawsuit, she noted first and foremost that Remprex was never named a party and no claim was ever made against it. While Remprex participated in discovery and mediation, none of its activities rose to the level of being a named party.

Johnson observed, moreover, that Remprex never had written consent from Lloyd’s for its litigation activities, which was a condition for the reimbursement of any litigation expenses.

In addition, while the complaint made allegations against BNSF and “authorized vendors,” which included Remprex, such a general reference did not constitute a demand for money. Also, even though BNSF sent a letter to Remprex requesting indemnification, the policy excluded any contractual liability with respect to the media liability coverage.

As for Remprex’s specific actions in response to the subpoena with which it was served, Johnson said Remprex did not receive the subpoena until after Lloyd’s denied coverage, and it never submitted the subpoena to Lloyd’s for coverage. Hence, no aspect of the BNSF lawsuit was brought within the coverage of Lloyd’s policy.

Duty to Defend — CN Lawsuit

With respect to the CN lawsuit, Remprex invoked media liability coverage by focusing on the requirement of “public” dissemination of information. It maintained the policy did not define that term, and the policy therefore was ambiguous. The company contended, moreover, that “public” could apply to information shared between itself and one other entity, meaning CN.

Johnson disagreed. She wrote that dissemination of information to the counterparty of the agreement to collect the information did not constitute “public” disclosure. Rather under a common dictionary definition, “public” meant exposure to general view such as could give rise to harm.

On the other hand, Johnson agreed with Remprex that, to the extent the complaint alleged that Remprex unlawfully collected the plaintiffs’ fingerprints, coverage would exist. Coverage existed as a form of “media liability” for violating an individual’s right to privacy during the “course of creating media material.”

Thus, Johnson found the trial court erred in denying coverage for litigation expenses Remprex incurred in defending allegations that it unlawfully collected fingerprints.

She found no coverage under the “data and network liability” provisions of the policy, since the named defendants were, once again, alleged only to have collected and shared the data with one another in violation of BIPA. The relevant policy language applied only to third-party access and public disclosure of the personal information.

Johnson agreed with the trial court that the bad faith, consumer fraud, and common law fraud counts were properly dismissed.

The court therefore affirmed the dismissal in Lloyd’s favor of all claims with the exception of Remprex’s claim for expenses incurred in defending the CN lawsuit.

Key Points

  • A policy providing coverage for wrongful disclosure of information “to the public” does not cover the sharing of information between two parties to an agreement to collect the information.
  • A policy providing coverage for violating an individual’s right to privacy during the “course of creating media material” may provide coverage for the unlawful collection of personally identifiable information.

Related Attorneys

  • Chicago

    Illinois 60603

    10 South LaSalle Street

    Chicago, Illinois 60603

    T: 312.855.1010 TF: 800.826.3505 F: 312.606.7777 Office Managing Partner: Dennis D. Fitzpatrick

  • New York

    New York 10005

    28 Liberty Street 39th Floor

    New York, New York 10005

    T: 212.805.3900 TF: 800.826.3505 F: 212.805.3939 Office Managing Partner: Carl M. Perri

  • Mission Viejo

    California 92691

    27285 Las Ramblas

    Suite 200

    Mission Viejo, California 92691

    T: 949.260.3100 TF: 800.826.3505 F: 949.260.3190 Office Managing Partner: Ian R. Feldman

  • Florham Park

    New Jersey 07932

    100 Campus Drive

    Florham Park, New Jersey 07932

    T: 973.410.4130 TF: 800.826.3505 F: 973.410.4169 Office Managing Partner: Carl M. Perri

  • Michigan City

    Indiana 46360

    200 Commerce Square

    Michigan City, Indiana 46360

    T: 219.262.6106 TF: 800.826.3505 F: 312.606.7777 Office Managing Partners: Paige M. Neel, Kimbley A. Kearney

  • Milwaukee

    Wisconsin 53202

    250 E. Wisconsin Avenue

    Suite 1800

    Milwaukee, Wisconsin 53202

    T: 414.279.5525 TF: 800.826.3505 F: 312.606.7777 Office Managing Partner: James M. Weck

  • Stamford

    Connecticut 06902

    68 Southfield Avenue

    2 Stamford Landing Suite 100

    Stamford, Connecticut 06902

    T: 203.921.0303 TF: 800.826.3505 F: 212.805.3939 Office Managing Partner: Matthew J. Van Dusen

  • Tampa

    Florida 33609

    4830 West Kennedy Boulevard, One Urban Center

    Suite 600

    Tampa, Florida 33609

    T: 813.509.2578 TF: 800.826.3505 F: 312.606.7777 Office Managing Partner: Dennis D. Fitzpatrick Co-Managing Partner: Kelly M. Vogt

  • San Francisco

    California 94111

    100 Pine Street

    Suite 1250

    San Francisco, California 94111

    T: 415.287.2744 TF: 800.826.3505 F: 949.260.3190 Office Managing Partner: Ian R. Feldman

  • Houston

    Texas 77019

    2929 Allen Parkway

    American General Center, Suite 200

    Houston, Texas 77019

    T: 346.229.4612 TF: 800.826.3505 F: 312.606.7777 Office Managing Partner: Ramy P. Elmasri

  • Dallas

    Texas 75201

    325 N. Saint Paul Street

    Suite 3100

    Dallas, Texas 75201

    T: 469.942.8635 TF: 800.826.3505 F: 312.606.7777 Office Managing Partner: Ramy P. Elmasri

  • Boca Raton

    Florida 33434

    7777 Glades Road

    Suite 405

    Boca Raton, Florida 33434

    T: 561.765.5305 TF: 800.826.3505 F: 312.606.7777 Office Managing Partner: Dennis D. Fitzpatrick Co-Managing Partner: Kelly M. Vogt