Blog

The Takeaway

Illinois’ First District Appellate Court affirmed a Circuit Court’s decision that an insurer has no duty to defend its insured in an underlying BIPA lawsuit.

Introduction

The Biometric Information Privacy Act (BIPA or Act) has launched hundreds, if not thousands, of lawsuits across the state and federal courts of Illinois. Some BIPA lawsuits have even made their way to other states,[1] with some settling for enormous sums.[2] With so many BIPA lawsuits, insureds and insurers have been asking an important question: does an insurance policy provide coverage for these BIPA lawsuits?

What Is BIPA?

BIPA establishes safeguards and procedures relating to the retention, collection, disclosure, and destruction of biometric data.[3] Passed in October 2008, BIPA is intended to protect a person’s unique biological traits: the data encompassed in someone’s fingerprint, voice print, retinal scan, or facial geometry. Given the sensitivity of this information[4] – unlike a stolen credit card, there is no replacing or reissuing your fingerprint – BIPA provides a private right of action for “[a]ny person aggrieved by a violation of this Act . . . .”[5]

The Exclusion Game

BIPA establishes that “individuals possess a right to privacy in and control over their biometric identifiers and biometric information.”[6] A lawsuit asserting a violation of this right to privacy therefore falls within the “personal and advertising injury” provision of an insurance policy, triggering coverage.[7] That much is clear. Indeed, it is all but uncontested that the underlying BIPA lawsuits at issue “allege ‘personal and advertising injury.’”[8] Instead, the issue is whether a policy exception unambiguously applies to preclude coverage.[9]

As of December 2023, there was no clear answer to this question as the federal district courts have reached conflicting decisions on this important issue,[10] even as to the same named insured.[11] This all changed with Value Pak.

BIPA coverage litigation has centered around three specific policy exclusions:

1. Statutory Violation Exclusion
2. Employment-Related Practices Exclusion
3. Access or Disclosure Exclusion

Remarkably, the federal courts had failed to reach uniformity with respect to any of these exclusions. Each separate exclusion found cases in support and against coverage. Value Pak has now resolved this.

The Statutory Violation Exclusion

Certain statutes are well-known for spawning litigation. To that end, insurers have noted their unwillingness to insure against such claims. In a typical policy, the Statutory Violation exclusion would mean the insurance did not apply to any injury arising out of a violation of:

p. Recording And Distribution Of Material Or Information In Violation Of Law

Personal and advertising injury arising directly or indirectly out of any action or omission that violates or is alleged to violate:

In Krishna, the Illinois Supreme Court reviewed a “very similar” exclusion and found the BIPA statute was not “a statute of the same kind as the TCPA and the CAN-SPAM Act,” since the Act does not regulate methods of communication.[13]

For those courts finding the Statutory Violation exclusion does not apply, BIPA is simply not the same kind of statute as the TCPA, the CAN-SPAM Act, or the FCRA.[14] These statutes regulate methods of communication (the TCPA and CAN-SPAM) and the use of materials (the FCRA).[15] BIPA, by contrast, “regulates the collection, use, storage, and retention of biometric identifiers and information.”[16] At best, it is unclear whether BIPA is sufficiently similar to the listed statutes; at worst, it is different in kind.[17] For those courts finding the Statutory Violation exclusion does apply, BIPA “is of the same kind, character and nature as the enumerated statutes” because all the statutes “protect and govern privacy interests in personal information.”[18]

In Visual Pak, the First District Court of Appeals found the exclusion language before it was broader than that found in the Krishna case.[19] The Visual Pak court also noted that it was “simply impossible to deny that it [the statutory exclusion violation] describes BIPA.”[20] On this issue, the Illinois Court of Appeals disagreed with the Seventh Circuit’s decision in Wynndalco, finding the federal court had given “too little credit to the reasonable person purchasing this business liability policy.”[21] All of the statutes listed in the exclusion dealt with issues of personal privacy, which meant “an underlying lawsuit alleging a violation of BIPA would fall under the catchall phrase of the violation-of-law exclusion” found in paragraph 4.[22]

Exclusions for Employment-Related Practices and Access or Disclosure

In light of this ruling, the Visual Pak court declined to address either the Employment-Related Practices Exclusion or the Access or Disclosure Exclusion. Thus, the Appellate Court affirmed the Circuit Court’s decision finding the insurer had no duty to defend its insured in the underlying BIPA lawsuit.[23]

An Appealing Resolution

Visual Pak offers some needed clarity within the insurance coverage realm, particularly with so many conflicting decisions on each exclusion. The Illinois Supreme Court has granted several Petitions for Leave to Appeal surrounding the BIPA statute. The Visual Pak case may also find its way to Illinois’s highest court.

[1] See, e.g., Vance v. Microsoft Corp., 534 F. Supp. 3d 1301 (W.D. Wash. 2021).

[2] See Zellmer v. Facebook, Inc., No. 3:18-CV-01880-JD, 2022 WL 976981, at *1 (N.D. Cal. Mar. 31, 2022) (noting the $650 million settlement in favor of Illinois Facebook users).

[3] 740 ILCS 14/15.

[4] 740 ILCS 14/5(c).

[5] 740 ILCS 14/20.

[6] Rosenbach v. Six Flags Ent. Corp., 2019 IL 123186, ¶33.

[7] Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, No. 20-CV-05980 JFK, 2022 WL 602534, at *4 (N.D. Ill. Mar. 1, 2022).

[8] Nat'l Fire Ins. Co. of Hartford & Cont'l Ins. Co. v. Visual Pak Co., Inc., 2023 IL App (1st) 221160, ¶40; Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., No. 21-CV-788 JZL, 2022 WL 954603, at *3 (N.D. Ill. Mar. 30, 2022).

[9] Thermoflex Waukegan, 2022 WL 602534, at *4.

[10] Citizens Ins. Co. of Am. v. Wynndalco Enterprises, LLC, 595 F. Supp. 3d 668, 670 (N.D. Ill. Mar. 30, 2022) (granting insured’s motion for judgment on the pleadings), aff’d, 70 F.4th 987 (7th Cir. 2023); Am. Fam. Mut., Ins. Co., S.I. v. Carnagio Enterprises, Inc., No. 20-CV-3665 JZL, 2022 WL 952533, at *1 (N.D. Ill. Mar. 30, 2022) (granting insurer’s motion for summary judgment); Citizens Ins. Co. of Am. v. Highland Baking Co., No. 20-CV-4997 MMP, 2022 WL 1210709, at *1 (N.D. Ill. Mar. 29, 2022) (granting insured’s motion for judgment on the pleadings); State Auto. Mut. Ins. Co. v. Tony's Finer Foods Enterprises, Inc., No. 20-CV-6199 SCS, 2022 WL 683688, at *1 (N.D. Ill. Mar. 8, 2022) (denying insurer’s motion for summary judgment); Massachusetts Bay Ins. Co. v. Impact Fulfillment Servs., LLC, No. 1:20-CV-926 WLO, 2021 WL 4392061, at *1 (M.D.N.C. Sept. 24, 2021) (granting insurer’s motion for judgment on the pleadings); Am. Fam. Mut. Ins. Co. v. Caremel, Inc., No. 20-CV-637 HDL, 2022 WL 79868, at *1 (N.D. Ill. Jan. 7, 2022) (granting insurer’s motion for summary judgment).

[11] Compare Thermoflex Waukegan, LLC, 2022 WL 602534, at *1 (granting insured’s motion for judgment on the pleadings), with Thermoflex Waukegan, LLC, 2022 WL 954603, at *1 (granting insurer’s motion for summary judgment).

[12] Visual Pak Co., Inc., 2023 IL App (1st) 221160, ¶52.

[13] Thermoflex Waukegan, 2022 WL 602534, at *5 (quoting W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, ¶58).

[14] Id. at *6.

[15] Id.

[16] Id.

[17]  Id.; see also Carnagio Enterprises, 2022 WL 952533, at *7 (“[T]he Court concludes that BIPA is not like the TCPA and the CAN-SPAM Act, because BIPA protects a different kind of privacy and uses a different method to do so.”); Wynndalco Enterprises, 595 F. Supp. 3d at 676 (“The only discernible resemblance between the TCPA, the CAN-SPAM Act, FCRA, and FACTA is that they all protect “privacy.” But once more, “privacy” in the BIPA context means something much different than “privacy” in the TCPA context, so the similarity is superficial at best.”); Caremel, 2022 WL 79868, at *4 (“This exclusion is virtually identical to the provision analyzed in Krishna.”).

[18] Massachusetts Bay Ins. Co., 2021 WL 4392061, at *7.

[19] Visual Pak Co., Inc., 2023 IL App (1st) 221160, ¶54.

[20] Id. at ¶55.

[21] Id. at ¶70.

[22] Id. at ¶70, ¶78.

[23] Id. at ¶121, ¶129.