(Article from Insurance Law Alert, January 2023)
For more information, please visit the Insurance Law Alert Resource Center.
An Illinois district court ruled that exclusions in excess and umbrella policies did not negate the insurer’s duty to defend a suit alleging violations of the Biometric Information Privacy Act (“BIPA”), but that the duty to defend did not arise until the policyholder exhausted primary policy limits. Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., 2023 WL 319235 (N.D. Ill. Jan. 19, 2023).
The underlying suit against Thermoflex alleged BIPA violations based on the company’s policy of requiring workers to scan handprint data, which was then transmitted to a third party. In a previous ruling in this case, an Illinois district court ruled that there was no coverage under general liability policies issued by Mitsui based on an “Access or Disclosure Exclusion.” In the present ruling, the court addressed whether coverage was available under two provisions in excess and umbrella policies issued by Mitsui, and whether certain exclusions in those policies applied.
As a preliminary matter, the court ruled that coverage was unavailable under a provision that is triggered only when underlying insurance provides coverage in the first place. The court refused to reconsider the prior ruling that the Access or Disclosure Exclusion in the general liability policy applied, and therefore concluded that excess and umbrella coverage under a provision that was predicated on underlying general liability coverage was unavailable.
However, the court concluded that the BIPA claims triggered coverage under a separate provision that applied to “personal and advertising injury coverage (defined to include injury arising out of the publication of material that violates a person’s right to privacy) and which did not require coverage under an underlying liability policy. Mitsui argued that three exclusions barred coverage under that provision, but the court disagreed.
First, the court declined to apply a Statutory Violations Exclusion, which applied to alleged violations of the TCPA, the CAN-SPAM Act of 2003, the Fair Credit Reporting Act, the Fair and Accurate Credit Transaction Act, and “any other federal, state, or local law, regulation, statute, or ordinance that restricts, prohibits, or otherwise pertains to the collecting, communicating, recording, printing, transmitting, sending, disposal, or distribution of material or information.” Applying the reasoning set forth in W. Bend Mutual Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (Ill. 2021) (discussed in our May 2021 Alert) and Citizens Ins. Co. of Am. v. Wynndalco Enters., LLC, 2022 WL 952534 (N.D. Ill. Mar. 30, 2022) (discussed in our April 2022 Alert), the court ruled that the catchall provision in the exclusion did not encompass alleged BIPA violations. The court acknowledged that the exclusion in Krishna was narrower in scope than the one at issue here, but nonetheless agreed with the Wynndalco decision that interpreting the catchall provision to include BIPA claims would “swallow up large swaths” of coverage. Ultimately deeming the exclusion ambiguous, the court construed it in favor of coverage.
Additionally, the court declined to apply a Data Breach Exclusion that applied to damages arising out of the “disclosure of or access to private or confidential information.” The court acknowledged that the language of the exclusion “tracks closely with the Access or Disclosure Exclusion” that was held to bar general liability coverage in the court’s previous ruling, but concluded that “reading the exclusion in its entirety suggests that it was not intended to bar coverage beyond data breach liability.” More specifically, the court reasoned that language in the exclusion referring to computer applications and software suggested that it was focused on damages resulting from a data breach, or at a minimum, ambiguous in its scope.
A third exclusion precluded coverage for damages arising out of “other employment-related practices, policies, acts, or omissions directed towards that person.” The court rejected Mitsui’s contention that the BIPA claims, which arose out of a policy requiring employees to use a biometric time tracking system, fell within the scope of the exclusion. Citing Citizens, the court concluded that the phrase “directed towards that person,” together with an enumerated list of examples that pertained to actions taken against a specific individual (e.g., harassment, demotion, discipline), indicated that the exclusion was not intended to apply to a company-wide policy that affected all workers in the same way.
Finally, the court ruled that even though none of the exclusions precluded coverage of the underlying claims, that Mitsui had no present duty to defend because Thermoflex had not exhausted primary coverage. In so ruling, the court took judicial notice of a ruling in another case holding that a different primary insurer owed Thermoflex a duty to defend the underlying suit. Applying the principle of horizontal exhaustion (under which all primary policies must be exhausted before excess coverage is implicated), the court held that Mitsui had no present duty to defend.