(Article from Insurance Law Alert, October 2022)
For more information, please visit the Insurance Law Alert Resource Center.
As discussed in previous Alerts, the Illinois Supreme Court and several Illinois district courts have addressed whether certain policy exclusions bar coverage for claims alleging violations of the Biometric Information Privacy Act (“BIPA”). See March and April 2022 Alerts; May and October 2021 Alerts. Last month, another Illinois district court weighed in, ruling that two commercial general liability policy exclusions precluded coverage for the underlying BIPA claims. Cont’l Western Ins. Co. v. Cheese Merchants of Am., LLC, 2022 WL 4483886 (N.D. Ill. Sept. 27, 2022).
The underlying complaint alleged that Cheese Merchants’ use of a biometric time tracking system that scans employees’ hands for authentication violates the BIPA. Continental Western argued it had no duty to defend the suit based on three policy exclusions: (1) an employment-related practices exclusion; (2) a disclosure of personal information exclusion; and (3) a violation of law exclusion. The court concluded that the first exclusion did not apply but that the latter two did.
The employment-related practices exclusion applied to “Employment-related practices, policies, acts or omissions such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution directed at that person.” The court noted that while using one’s hand to clock in and out of work might seem like a practice related to employment, the “complete text and the overall structure of the provision” indicates that hand scanning is not a practice encompassed by the exclusion. In particular, the court explained that everything else listed in the exclusion related to mistreatment targeted at a specific employee, rather than a company-wide policy. As the court noted, other Illinois courts have similarly deemed this exclusion inapplicable to BIPA claims.
The disclosure of personal information exclusion excluded coverage “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” Emphasizing the breadth of the language in this provision, the court concluded that BIPA claims are precisely about protecting personal information. The court rejected Cheese Merchants’ assertion that the list of examples included in the exclusion indicated that it was intended to apply only to information associated with protected trade secrets, financial information or health information. The court explained that the list of examples was illustrative, not exhaustive, and deemed the exclusion unambiguous in light of the catch-all phrase “or any other type of nonpublic information.” Other Illinois courts are split as to whether similar exclusions bar coverage for BIPA claims.
The violation of law exclusion barred coverage for claims:
arising directly or indirectly out of any action or omission that violates or is alleged to violate: (1) The Telephone Consumer Protection Act (TCPA) . . . (2) The CAN-SPAM Act of 2003. . . (3) The Fair Credit Reporting Act (FCRA), including the Fair and Accurate Credit Transactions Act (FACTA) . . . or (4) Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.
The Illinois Supreme Court and numerous other Illinois district courts, faced with a similar exclusion, have concluded that it does not apply to BIPA claims. However, the Cheese Merchants court ruled that this “broad” and “sweeping” exclusion—particularly the fourth catch-all provision, applies squarely to such claims. The court rejected Cheese Merchants’ assertion that under the principle of ejusdem generis, the catch-all provision should be limited in scope to items of a similar nature to those expressly listed. The court explained that ejusdem generis typically applies only when there is “room for doubt about the sweep of the text.” Here, however, the court noted that the catch-all component of the exclusion “goes to great lengths to emphasize its expansiveness.” In addition, the court held that ejusdem generis does not apply because that canon of interpretation depends on the existence of a discernable theme common among the specific examples listed. The court held that the present exclusion lacked such a common thread, noting that while the TCPA and CAN-SPAM Act of 2003 both generally protect privacy by regulating against unwanted communications, the FCRA relates to the safekeeping of financial information. Finally, the court noted that even if a very generalized theme of “statutes that protect privacy” could be inferred from the language, it would be “at such a high level of generality that it would sweep in BIPA.”
The court expressly distinguished W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 183 N.E.3d 47 (Ill. 2021) (discussed in our May 2021 Alert), in which the Illinois Supreme Court ruled that a violation of statutes exclusion did not apply to BIPA claims. The exclusion in that case did not reference the FCRA—a distinction the court deemed “meaningfully different.” The court stated:
The Illinois Supreme Court confronted an exclusion with a strong thematic current running through all of the specific examples. . . . But here, the exclusion covers two types of privacy statutes: two statues that protect privacy when communicating with consumers . . . and one statute that protects the privacy of information given by consumers. The inclusion of the FCRA expands the scope of the exclusion. And it signals that the general provision is not limited to communicating with consumers.