(Article from Insurance Law Alert, May 2021)
For more information, please visit the Insurance Law Alert Resource Center.
The Illinois Supreme Court ruled that an insurer must defend a suit alleging violations of the Biometric Information Privacy Act (“BIPA”), finding that the underlying complaint alleged a publication of information in violation of the claimant’s right to privacy and that a “violation of statutes” exclusion did not apply. West Bend Mutual Ins. Co. v. Krishna Schaumburgh Tan, Inc., 2021 WL 2005464 (Ill. May 20, 2021).
A tanning salon customer sued the salon alleging BIPA violations based on the company’s alleged disclosure of the customer’s fingerprints to a third-party vendor. West Bend sought a declaration that it had no duty to defend the suit. West Bend argued that there was no coverage under the policy’s personal and advertising injury provision because the disclosure of personal information to a single party is not a “publication of material that violates a person’s right of privacy,” as required by the policy. Additionally, West Bend claimed that coverage was barred by a “violation of statutes” exclusion. An Illinois trial court rejected both assertions and granted the salon’s summary judgment motion. An intermediate appellate court and the Illinois Supreme Court affirmed.
The Illinois Supreme Court ruled that the salon’s sharing of biometric information with the vendor was a “publication” under the policy. The court explained that “publication” can reasonably mean communication to the general public at large or disclosure to a single party. Construing this ambiguity in favor of coverage, the court concluded that the salon’s communication with a single vendor satisfied the publication requirement. The court further held that “right to privacy” includes the right to keep biometric identifiers (e.g., fingerprints, retina scans, voiceprints) secret from disclosure to others.
The court rejected West Bend’s assertion that a “violation of statutes” exclusion barred coverage. The exclusion applied to personal injury
arising directly or indirectly out of any action or omission that violates . . . (1) The Telephone Consumer Protection Act . . . or (2) The CAN-SPAM Act of 2003 . . . or (3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.
West Bend argued that the phrase “other than” indicates that the exclusion applies to any statute that prohibits the communication of information. Dismissing this argument, the court held that the exclusion applies only to statutes that regulate methods of communication, such as telephone calls, faxes and emails. The court concluded that the BIPA is not within this category of statutes because it regulates the collection, use and handling of biometric information, which the court deemed “fundamentally different” from the regulation of modes of communication.