Insurance Company Has Obligation to Cover BIPA Suit

By Don R. Sampen, published, Chicago Daily Law Bulletin April 21, 2020

The 1st District Appellate Court recently held that a claim that an insured disclosed fingerprint data to a third-party vendor in violation of an Illinois statute constituted a personal injury offense, and coverage was not barred by an exclusion for statutory violations pertaining to emails and faxes.

The case is West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan Inc., 2020 IL App (1st) 191834 (March 20). The insurer, West Bend, was represented by attorneys at McKenna Storer. Edelson PC represented the claimant, Klaudia Sekura. And Pretzel & Stouffer Chtd. represented the insured Krishna.

Sekura brought a proposed class-action against Krishna, a franchisee of L.A. Tan Enterprises Inc. She alleged that when she and others purchased the tanning services of Krishna, the customers were required to have their fingerprints scanned.

She further claimed that Krishna disclosed her fingerprint data to an out-of-state third-party vendor, SunLync, without her consent in violation of the Biometric Information Privacy Act (740 ILCS 14/1). That statute prohibits the dissemination of a customer’s biometric identifiers except in specified circumstances. Her complaint sought statutory damages and attorney fees, restitution and damages for mental anguish.

West Bend provided coverage to Krishna under a commercial general liability policy that required West Bend to defend and indemnify Krishna for “personal injuries.” Those injuries included the publication of material consisting of slander or libel or violating “a person’s right of privacy.”

The policy also included an exclusion applicable to statutory violations that govern email and other methods of sending information. Examples of statutes giving rise to such violations set forth in the policy included the Telephone Consumer Protection Act and the CAN-SPAM Act of 2003.

Notwithstanding the exclusion, an endorsement to the policy extended coverage to accidental “personal data compromises” of “personally sensitive information without appropriate safeguards.”

Krishna tendered to West Bend, which agreed to defend under a reservation. West Bend then brought this declaratory action seeking a determination that it had no coverage obligation. Krishna filed a counterclaim seeking coverage and also penalties under the Insurance Code (215 ILCS 5/155) for bad faith.

On cross-motions for summary judgment, the trial court found in favor of coverage but denied sanctions for bad faith. West Bend appealed, and Krishna cross-appealed.

Analysis

In an opinion by Justice Mary L. Mikva, the 1st District affirmed. She initially addressed West Bend’s argument that the underlying claim did not fall within the definition of a personal injury because it did not allege a publication of material that violated a person’s right of privacy.

West Bend relied on Valley Forge Insurance Co. v. Swiderski Electronics Inc., 228 Ill.2d 352 (2006), which it interpreted as requiring a distribution of information to the public to fall within the definition of a “publication.” In this case, by contrast, Krishna was alleged to have shared the fingerprint information with only one other entity.

Mikva disagreed with such a limitation. While acknowledging that an example of publication the court used in Valley Forge involved a distribution to the public, she said the court did not intend to exclude the sharing of information with a single third-party. The policy language itself, moreover, did not provide any definition of “publication” giving rise to such a meaning.

Mikva then took up the statutory violation exclusion. West Bend claimed that it applied broadly, in the words of the exclusion, to “any statute, ordinance or regulation that prohibits or limits the sending, transmitting … Of material or information.” It claimed that the Biometric Information Privacy Act, which prohibits the dissemination of “a customer’s biometric identifier,” constituted one such statute.

According to Mikva, however, the exclusion read in context did not apply. The title of the exclusion in particular indicated that it was to apply to “Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Method of Sending Material or Information.” Thus, the emphasis was on the method of communication, and the examples given in the exclusion — the TCPA and CAN-SPAM Act — both regulated such methods.

In this case, by contrast, the Biometric Information Privacy Act said nothing about the method of communication. The exclusion therefore would not apply.

Finally, as to Krishna’s cross-appeal claiming bad faith, Mikva said it was based entirely on the policy endorsement extending coverage to personally sensitive information. That endorsement, however, requires that the release of information be accidental and not reckless or deliberate.

And here, as West Bend pointed out, the release of information was alleged to have been as part of a membership program and not accidental. Mikva said West Bend therefore had a good-faith argument for why the endorsement did not apply.

Hence, the court affirmed the trial court’s holding that West Bend had an obligation to defend and did not engage in bad faith in pursuing its coverage determination.

Key point

An exclusion applicable to statutes that govern the method of transmitting personal, private or other information does not apply to exclude coverage for alleged violations of a statute that applies to the dissemination of information without regard to method.