In West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., 2020 Ill. App. LEXIS 179 (Ill. Ct. App. March 20, 2020), the Illinois Appellate Court issued a first-of-its-kind decision: that underlying allegations of violation of the Illinois Biometric Information Privacy Act (BIPA) constituted “personal and advertising injury,” and coverage for which was not prohibited by the catch-all provision of the Distribution of Material (or “TCPA”) exclusion. The decision potentially opens the door to a flood of insurance claims for one of the fastest-growing areas of privacy litigation in the United States. Yet, as discussed further below, there may be some respite for insurers.
BACKGROUND
In West Bend, the insured, Krishna Schaumburg Tan, Inc. (Krishna) was sued in an April 2016 underlying putative class action for alleged violation of BIPA. According to the underlying complaint, when someone first purchases services at Krishna, he or she is enrolled in the L.A. Tan national membership database to allow them use of any L.A. Tan location. 2020 Ill. App. LEXIS 179 at *5. The lawsuit alleged that Krishna’s customers are required “to have their fingerprints scanned” for the purpose of verifying their identification, and that when the underlying class representative signed up for a membership with Krishna in April 2015, she was enrolled in the database at that time, which required her to provide a scan of her fingerprint. Id. at *5. The underlying plaintiff allegedly was never provided with, nor signed, a written release allowing Krishna to disclose her biometric data to any third party. Id. at *5-6. The lawsuit asserts that Krishna violated BIPA by disclosing her fingerprint data to an out-of-state third-party vendor, SunLync, without her consent. Id. at *6.
The insurer in West Bend had issued two general liability policies to Krishna for the periods of 2014-2015 and 2015-2016. Both provided coverage for “personal injury,” defined in part as “injury, other than ‘bodily injury,’ arising out of … oral or written publication of material that violates a person’s right of privacy.” 2020 Ill. App. LEXIS 179 at *7. The insurer agreed to defend Krishna subject to a reservation of rights, and commenced a declaratory judgment action. Id. at *6. The insurer argued that the underlying allegations did not involve “personal injury” because there was no “publication.” Id. In the alternative, it argued that the distribution of material in violation of a statute exclusion prohibited coverage.[1] Id. at *6. The Illinois Appellate Court rejected both arguments.
THE MEANING OF “PUBLICATION”
First, the Appellate Court rejected the insurer’s argument that the term “publication” — not defined in the policies — should take on the meaning given by the Illinois Supreme Court in Valley Forge Ins. Co. v. Swiderski Electronics, Inc., 834 N.E.2d 562 (Ill. 2005). Based on Valley Forge, the insurer argued, the term requires a communication of information “to the public at large, not simply a single third party,” and so the allegation that Krishna published the plaintiff’s fingerprint scan to a single third party did not constitute a “publication.” 2020 Ill. App. LEXIS 179 at *11. The Illinois Appellate Court rejected the insurer’s argument as being too “narrow” of an interpretation under Valley Forge. Id. at *12.
Instead, the Appellate Court observed, the Valley Forge decision requires courts to use dictionaries to determine the plain and ordinary meaning of an undefined term. In West Bend, the Appellate Court examined dictionary definitions for the term “publication,” and observed that the “[c]ommon understandings and dictionary definitions of ‘publication’ clearly include both the broad sharing of information to multiple recipients that the court viewed a ‘publication’ in Valley Forge and a more limited sharing of information with a single third party.” Id. at *15.
Troublingly, when defining “publication” in West Bend, the Appellate Court refused to recognize the stark distinction of the term’s meaning in a privacy claim (requiring broad dissemination) and a defamation claim (requiring dissemination to a single person only):
To the extent that West Bend suggests that “publication” means something different in the context of defamation than it does in the context of privacy rights, the policies use the exact same terminology of “[o]ral or written publication of material” as the basis for both a defamation-related injury and a privacy-related injury. These two definitions are immediately sequential in the policies. When construing insurance policies, “‘it is a general rule that absent language to the contrary, a word or phrase in one part is presumed to have the same meaning when it is used in another part of a policy.’” . . . This should be particularly true where, as here, the two policy provisions are in the same section of the policies.
Id at *15-16 (citations omitted). Had the insurer in West Bend “wished the term ‘publication’ to be limited to communication of information to a large number of people,” the Appellate Court added, “it could have explicitly defined it as such in its policy.” Id. at *16. Because the insurer hadn’t, the court continued, the underlying allegations implicated the duty to defend:
Because a common understanding of “publication” encompasses Krishna’s act of providing Ms. Sekura’s fingerprint data to a third party, there also exists potential that Ms. Sekura’s claim against Krishna is covered by the policies. As such, West Bend has a duty to defend Krishna against the underlying complaint pursuant to the “personal injury” coverage provision.
Id. at *16.
THE SCOPE OF THE “DISTRIBUTION OF MATERIAL” EXCLUSION
The Appellate Court in West Bend not only found the plaintiff’s BIPA claim covered as “personal injury,” but also found that the Distribution Of Material exclusion did not apply to bar coverage for the claim.
The exclusion in West Bend prohibited coverage for “personal injuries ‘arising directly or indirectly out of any action or omission that violates or is alleged to violate’ . . . ‘[a]ny statute, ordinance or regulation . . . that prohibits or limits the sending, transmitting, communication or distribution of material or information.’” 2020 Ill. App. LEXIS 179, at *17.
Contending that the exclusion applied, the insurer in West Bend relied upon section 15(d) of BIPA, which provides that “[n]o private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information unless” certain specified conditions are met. Id. at *18.
The Appellate Court disagreed with the insurer’s argument, concluding that a reading of the exclusion, as a whole, demonstrated that the exclusion was intended to prohibit coverage for a different risk: violation of statutes that govern methods of communication — e.g., faxes, emails, and telephone calls. Id. at *18-19. The court explained:
The violation of statutes exclusion read in its entirety makes clear, however, that it was not intended to bar coverage for a violation of a statute like the Act. In fact, the exclusion is meant to bar coverage for the violation of a very limited type of statute that is evidenced first from the exclusion’s title which West Bend conveniently shortens to "Violation of Statutes." The title, as a whole, is: "Violation of Statutes That Govern E-Mails, Fax, Phone Calls or Other Method of Sending Material or Information." (Emphasis added.) The title makes clear that the exclusion applies to statutes that govern certain methods of communication, i.e., e-mails, faxes, and phone calls, not to other statutes that limit the sending or sharing of certain information.
Id.
The catch-all, moreover, was limited by the context of the exclusion’s citation to the TCPA and CAN-SPAM statutes in the first two sections, the Appellate Court further explained:
So only after listing two specific statutes—the violation of which the exclusion applies to—each with a clear purpose of governing methods of communication such as e-mails and phone calls, does the exclusion include a final catch-all provision for a statute “that prohibits or limits the sending, transmitting, communication or distribution of material or information.” In light of the title and the two specific statutes listed in the exclusion, the more reasonable reading of this third item is that it is meant to encompass any State or local statutes, rules, or ordinances that, like the TCPA and the CAN-SPAM Act, regulate methods of communication.
Id. at *19-20 (italics added, underline in original).
Thus, the Appellate Court reasoned, while the Distribution Of Material exclusion prohibited “coverage to violations of statutes that regulate methods of communication,” BIPA “says nothing about methods of communication,” and “instead regulates ‘the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.’” 2020 Ill. App. LEXIS 179, at *20-21. So, the Appellate Court in West Bend concluded, the exclusion did not apply to the underlying BIPA claims against Krishna. Id.
WHAT THIS CASE MEANS
The West Bend decision applied a broad definition to the meaning of “publication” and eviscerated the Distribution Of Material exclusion, at least as applied to BIPA claims. But the decision is inconsistent. That’s problematic.
The decision applies a broad meaning to the term “publication” for “personal injury” or “personal and advertising injury,” applying the meaning of the term typically used by courts for a defamation claim, in the context of a privacy claim. Lost in the Appellate Court’s analysis is that a narrow meaning for the term “publication” in the definition for “personal injury” or “personal and advertising injury” can be gleaned from and is demonstrated in the context of its use — i.e., whether used in the right of privacy offense or used in the defamation/libel offense. The Appellate Court discarded the context of the term’s use, and the distinction of the term’s meaning depending upon the cause of action at issue, and instead chose to interpret the term in isolation.
However, the court then rejected this same approach when interpreting the scope of the Distribution Of Material exclusion. Adopting a contextual-based approach to its analysis, the court limited the scope of the exclusion to a set of risks seemingly beyond BIPA. The court also ignored clear language of the statute. The court stated that BIPA “says nothing about methods of communication,” but ignores section 15(d) of the statute — relied upon by the insurer — which states “[n]o private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information” unless certain conditions are met (emphasis added).
A final note: both policies did not have the Access or Disclosure of Personal Information exclusion. The exclusion, which prohibits coverage for unauthorized disclosure of personal information, was promulgated by the insurance industry in the wake of early data breach losses. The exclusion should preclude coverage for BIPA claims. However, the exclusion has not yet been tested. One wonders whether courts will take a similar, limiting analytical approach with the exclusion as the Appellate Court did here with the Distribution of Material exclusion.
[1] The 2015-2016 Policy also had an insuring agreement for data compromise, which the court did not address.
[View source.]
