(Article from Insurance Law Alert, September 2024)
For more information, please visit the Insurance Law Alert Resource Center.
Holding
An Illinois appellate court ruled that an underlying suit alleging violations of the Biometric and Information Privacy Act (“BIPA”) do not even potentially fall within the scope of coverage under a Cyber, Data Risk, and Media Insurance Policy and therefore that the insurer had no duty to defend the suit. Tony’s Finer Foods Enterprises, Inc. v. Certain Underwriters at Lloyd’s London, 2024 IL App (1st) 231712 (Ill. App. Ct. Sept. 10, 2024).
Background
A class action suit alleged that Tony’s Finer Foods (“TFF”) violated the BIPA by requiring employees to scan their fingerprints and by utilizing third-party software to maintain a database of that information without employee consent. When Lloyd’s denied coverage, TFF sought a declaration as to the duty to defend, arguing that Lloyd’s was not permitted to deny coverage, but rather had to either defend under a reservation of rights or alternatively, file its own declaratory judgment claim. In response, Lloyd’s claimed that TFF failed to provide timely notice and that the BIPA suit did not even potentially fall within the coverage provisions of the policy.
The trial court granted TFF’s summary judgment motion, finding that the allegations gave rise to the possibility of coverage. The trial court further held that Lloyd’s was estopped from asserting policy defenses based on its refusal to defend TFF or file a declaratory judgment action. The appellate court reversed.
Decision
The appellate court explained that estoppel applies only when an insurer has breached its duty to defend and therefore it was necessary to determine whether Lloyd’s had a duty to defend TFF in the first place. Finding no such duty, the appellate court emphasized that the allegations in the underlying suit related only to the collection and storage of employees’ fingerprint data. Such allegations did not even potentially fall within the scope of coverage that applies to a “data breach, security failure, or extortion threat” since there were no allegations of improper third-party access or lapses in security.
Additionally, the court found that coverage would be unavailable in any event based on an exclusion that applied to claims arising out of the “collection of information . . . without the knowledge or permission of the persons to whom such information relates . . . ; or use of personally identifiable information by [TFF] . . . in violation of law.”
Comments
The decision sets forth important limitations on the scope of phrases such as “data breach” and “security failure.” The court rejected TFF’s assertion that the underlying claims arguably alleged a data breach or security failure because of a potential for misuse or improper dissemination of the personal information, emphasizing that allegations relating to a hypothetical scenario in which biometric data could be unlawfully accessed is not the same as allegations that such a breach has already occurred.