On March 20, 2020, the Illinois Appellate Court for the First District issued its decision in the case of West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834,  2020 WL 191834, a decision addressing an insurer’s obligation to defend its insured in connection with a lawsuit brought under the Illinois Biometric Information Privacy Act, 740 ILCS § 14/1 et seq. (“BIPA”).  As discussed below, this new decision provides insurers with important guidance on their duty to defend obligations relating to BIPA.

The Underlying Lawsuit

Krishna Schaumburg Tan, Inc. (“Krishna”), a subsidiary of L.A. Tan Enterprises, Inc., was sued in April 2016 by one of its former customers on behalf of herself and a class of similarly situated individuals who alleged that Krishna violated the BIPA by unlawfully collecting its customers’ fingerprints and disclosing this data to third-party vendor, SunLync. West Bend Mutual Insurance Company (“West Bend”), Krishna’s insurer, agreed to defend Krishna under a reservation of rights to contest coverage obligations later on.

The West Bend Policies

West Bend had issued two nearly identical insurance policies to Krishna. Under the Businessowners Coverage Liability Form, West Bend agreed to pay “those sums that [Krishna] becomes legally obligated to pay as damages because of . . . personal injury . . . to which this insurance applies[.]” West Bend also assumed the obligation to defend Krishna in any suit seeking such damages. Additionally, the policies provided that West Bend’s coverage would apply to “‘personal injury’ caused by an offense arising out of your business, excluding advertising, publishing, broadcasting or telecasting done by you.”

The policies defined the term “personal injury” as:

Injury, other than bodily injury, arising out of one or more of the following offenses:

. . .

d. Oral or written publication of material that slanders or libels a person or organization. . .; or
e. Oral or written publication of material that violates a person’s right of privacy.

The policies also included several express exclusions from coverage. In particular, the policies provided exclusions for claims derived from the violation of certain statutes, stating as follows:

EXCLUSION – VIOLATION OF STATUTES THAT GOVERN E-MAILS, FAX, PHONE CALLS OR OTHER METHODS OF SENDING MATERIAL OR INFORMATION

. . .

This insurance does not apply to:

DISTRIBUTION OF MATERIAL IN VIOLATION OF STATUTES

‘Bodily injury’, ‘property damage’, ‘personal injury’ or ‘advertising injury’ arising directly or indirectly out of any action or omission that violates or is alleged to violate:

(1) The Telephone Consumer Privacy Act (TCPA), including any amendment of or addition to such law; or

(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law; or

(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.

One of the policies also contained an endorsement titled “Illinois Data Compromise Coverage” (the “data compromise endorsement”). That endorsement provided additional coverage in the event of personal data compromise, and stated:

7. ‘Personal Data Compromise’ means the loss, theft, accidental release or accidental publication of ‘personally identifying information’ or ‘personally sensitive information’ as respects one or more ‘affected individuals.’ . . . This definition is subject to the following provisions:

. . .

b. ‘Personal Data Compromise’ includes disposal or abandonment of ‘personally identifying information’ or ‘personally sensitive information’ without appropriate safeguards such as shredding or destruction, subject to the following provisions:

1) The failure to use appropriate safeguards must be accidental and not reckless or deliberate.

The Declaratory Judgment Action

In June 2016, West Bend filed a complaint for declaratory judgment against Krishna and the customer seeking a declaration that it had no obligation to defend Krishna in the lawsuit. West Bend argued that the lawsuit was not covered under the policies because (1) the customer’s allegations did not describe an “advertising injury” or a “personal injury,” (2) the allegations did not qualify for coverage under the data compromise endorsement, and (3) coverage was barred under the statutory violations exclusion. Krishna disagreed with these claims and filed a counterclaim against West Bend claiming West Bend did have a coverage obligation and failed to fulfill it. The parties then filed cross motions for summary judgment.

The trial court denied West Bend’s motion in part and granted Krishna’s motion in part, finding that West Bend had a duty to defend Krishna because the customer’s claims alleged a “personal injury” arising from a “publication which violates a person’s right to privacy” and that the statute violation exclusion did not apply. West Bend appealed.¹ See American Economy Ins. Co. v. Holabird and Root, 382 Ill. App. 3d 1017, 1022-23 (1st Dist. 2008) (recognizing Illinois’ broad interpretation of the duty to defend).

The Appellate Court’s Holding

On appeal, the parties argued and presented three primary issues to the court: (1) whether the allegations in the underlying complaint fell under the policies’ definition of “personal injury”; (2) if so, whether the statute violation carve-out provision in the policies operated to bar coverage; and (3) whether the data compromise endorsement was applicable.

Looking to the first issue, the court found that the customer’s claims alleged a “personal injury” which activated West Bend’s coverage obligation. In particular, the court found that the customer’s claims dealt with an “injury, other than ‘bodily injury’, arising out of . . . oral or written publication of material that violates a person’s right of privacy.” In so holding, the court rejected West Bend’s argument that the term “publication” only encompassed disclosure of information to the general public, as opposed to a single third-party such as SunLync. The court examined both the policy language and the commonly understood meaning of the term “publication” and ultimately concluded that Krishna’s alleged disclosure of fingerprint data to a single third-party constituted a “publication” for purposes of coverage. West Bend was therefore obligated to defend Krishna.

The appellate court’s analysis did not end here, however. West Bend argued that even if the lawsuit fell within the purview of the “personal injury” clause of the policies, the allegations at issue were specifically excluded by the policies’ violation of statute exclusion. That exclusion section provided that West Bend could decline coverage for claims brought based on allegations related to the Telephone Consumer Privacy Act, the CAN-SPAM Act of 2003, or any other statute that prohibits or limits the sending, transmitting, communicating or distribution of material or information. While West Bend argued that the BIPA is a statute that widely “prohibits or limits the sending  . . . of material or information,” the court disagreed with West Bend’s broad reading of the policy and the applicable BIPA provisions, and concluded that West Bend had an obligation to defend.

The court looked at the policy as a whole and determined that the statute violation exclusion was intended to bar coverage for a very limited range of claims, those dealing with the insured’s method of communication (such as, e.g., under the TCPA and the CAN-SPAM Act). The BIPA, on the other hand, did not regulate the method of communication, but rather the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” See 740 ILCS § 14/15(g). Therefore, West Bend was obligated to defend Krishna under the policies.

The court’s holding sets important precedent for duty to defend obligations for claims brought under the BIPA. After the Illinois Supreme Court held in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, 129 N.E.3d 1197, a year ago that a plaintiff need not show actual injury to bring a BIPA violation claim, Illinois and other courts have been inundated with BIPA claims related to the collection and storage of biometric information without complying with the BIPA’s notice and consent requirements under a statute that does not limit statutory damages for class actions. The Illinois Appellate Court’s holding in West Bend clarifies a key issue in the duty to defend analysis for BIPA claims under Illinois’ duty to defend law.  Insurers handling BIPA claims should review and consider this opinion when faced with the question of whether they have a duty to defend in this particular circumstance.