(Article from Insurance Law Alert, May 2024)
For more information, please visit the Insurance Law Alert Resource Center.
Holding
The Seventh Circuit ruled that an Access to Personal Information Exclusion barred coverage for claims alleging violations of the Biometric Information Privacy Act (“BIPA”), but that three other exclusions did not. Thermoflex Waukegan, LLC v. Mitsui Sumitomo Insurance USA, Inc., 2024 U.S. App. LEXIS 12033 (7th Cir. May 17, 2024).
Background
Employees alleged that use of handprint data by their employer violated the BIPA. The employer sought defense and indemnity from Mitsui under primary, excess and umbrella policies, which the insurer denied. As discussed in our January 2023 Alert, an Illinois district court ruled that an Access to Personal Information Exclusion in the primary policy barred coverage, and therefore that Mitsui had no duty to defend under the primary or follow form excess policies, but that three other exclusions in the umbrella policy did not apply. The Seventh Circuit affirmed.
Decision
The Access to Personal Information Exclusion provided that the insurance “does not apply to [claims] arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” The Seventh Circuit agreed with the district court that handprints fall within the scope of confidential or personal information and that the exclusionary language was unambiguous. In so ruling, the court rejected Thermoflex’s assertion that the exclusion was ambiguous because it referenced patents, which are public, noting that inclusion of a non-private example did not create ambiguity.
However, because the umbrella policy lacked that exclusion, the court considered whether three other provisions precluded coverage. A “Statutory Violation Exclusion” applied to matters
arising directly or indirectly out of violations of or alleged violations of: (1) the Telephone Consumer Protection Act (TCPA), including any amendments thereto, and any similar federal, state, or local laws, ordinances, statutes, or regulations; (2) the CAN-SPAM Act of 2003, including any amendments thereto, and any similar federal, state, or local laws, ordinances, statutes, or regulations; (3) the Fair Credit Reporting Act (FCRA), including any amendments thereto, such as the Fair and Accurate Credit Transaction Act (FACTA), and any similar federal, state, or local laws, ordinances, statutes, or regulations; or (4) any other federal, state, or local law, regulation, statute, or ordinance that restricts, prohibits, or otherwise pertains to the collecting, communicating, recording, printing, transmitting, sending, disposal, or distribution of material or information.
The Seventh Circuit ruled that this exclusion did not relieve Mitsui of its duty to defend, citing West Bend Mutual Ins. Co. v. Krishna Schaumbugh Tan, Inc., 2021 IL 125978 (Ill. 2021), in which the Illinois Supreme Court ruled that a similar exclusion did not bar coverage for BIPA claims.
Additionally, the court concluded that a “Data Breach Liability” provision, which excluded coverage for: “1) … [loss] arising out of disclosure of or access to private or confidential information belonging to any person or organization; or 2) any loss, cost, expense, or ‘damages’ arising out of damage to, corruption of, loss of use or function of, or inability to access, change, or manipulate ‘data records,’” did not apply. The court reasoned that the exclusion was intended to apply to situations in which hackers obtain access to personal information, not to claims based on mandated disclosure of personal information to an employer.
Finally, the court ruled an Employment-Related Practices exclusion did not relieve Mitsui of its duty to defend. That provision barred coverage of injury arising out of: “a) refusal to employ that person; b) termination of employment of that person; or c) coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, malicious prosecution, discrimination, sexual misconduct, or other employment-related practices, policies, acts, or omissions directed towards that person.” The court acknowledged that the collection and processing of handprints to keep track of work hours may be an “employment-related practice” but emphasized that such a practice was not “directed towards” any given worker.
The Seventh Circuit therefore held that Mitsui had a duty to defend under the umbrella policy after all underlying insurance and self-insured retentions have been exhausted.
Comments
The Seventh Circuit’s decision is one of a growing body of Illinois law related to the scope of coverage for BIPA claims. As discussed in previous Alerts, courts have reached different conclusions, relying primarily on the specific exclusionary language at issue. A previous Seventh Circuit decision, Citizens Insurance Co. v. Wynndalco, 70 F.4th 987 (7th Cir. 2023), held that an exclusion for claims based on “laws, statutes, ordinances, or regulations, that address, prohibit or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information” did not bar coverage for BIPA claims because such a reading of the exclusion would nullify coverage expressly provided elsewhere in that policy. However, an Illinois intermediate appellate court, faced with similar language, reached a contrary conclusion. See National Fire Insurance Co. v. Visual Pak Co., 2023 IL App (1st) 221160 (Ill. App. Ct. 2023).