Written by Attorney Matthew T. Connelly for the Summer 2021 Edition of Powerhouse Points, A Quarterly Litigation Update.
Read the full issue here.
- Insurance policy’s coverage for “personal injury” and “advertising injury” was sufficient to trigger duty to defend the insured against a class-action lawsuit alleging violations of the Biometric Information Privacy Act.
- Insurance company could not avoid duty to defend under the policy’s “violation of statute” exclusion.
- Due to the rising number of Biometric Information Privacy Act class-action lawsuits, insurers and insureds should be aware of this decision and its impact on general liability policies.
Recently, in West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, the Illinois Supreme Court held that an insurance company owed a duty to defend its insured, a tanning salon, against a class-action lawsuit alleging the salon violated the Biometric Information Privacy Act (“BIPA”). The Illinois Supreme Court found that the duty to defend was owed pursuant to the language of the insured’s business owner’s policy, which provided coverage for lawsuits alleging “personal injury” or “advertising injury.” This case will likely have significant ramifications for the insurance industry due to the growing prevalence of BIPA class-action lawsuits and the substantial settlement amounts that have resulted from such suits.
The Illinois Biometric Privacy Act
BIPA is a relatively new statute that was enacted in Illinois in 2008. See 740 ILCS 14/1. The statute regulates how private entities may collect and obtain people’s biometric identifiers or biometric information (such as fingerprints, voiceprints, facial scans, etc.), as well as bars selling or otherwise profiting from individual’s biometric identifiers or biometric information. See 740 ILCS 14/15. Critically, the statute provides for a private right of action by any person aggrieved by a violation of BIPA, further providing that a prevailing party may recover damages between $1,000 to $5,000 for each violation of BIPA, as well as attorney’s fees. See 740 ILCS 14/20.
Since BIPA’s enactment, there has been an increasing amount of class-action lawsuits alleging violations of BIPA, with over 800 BIPA class-actions filed in just the past few years1. Moreover, some of these cases have recently resulted in substantial settlement amounts. For example, earlier this year the United States District Court for the Northern District of California entered final approval of a $650 million settlement against Facebook in a landmark class-action case alleging violations of BIPA2. Further, this year, a Cook County judge approved a $25 million settlement in a BIPA class-action lawsuit against ADP3. In addition, the United States District Court for the Northern District of Illinois is currently considering approval of a proposed $92 million class-action settlement against Tiktok, Inc. for allegedly violating BIPA4.
While the Illinois legislature introduced a bill earlier this year to impose new limits on BIPA, the bill was referred to the Rules Committee and was not called for a vote prior to end of the spring general session5. As a result, for the foreseeable future it is likely that courts will continue to see a surge in new BIPA class-action lawsuits.
West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc.
This case involved an insured, Krishna Schaumburg Tan, Inc. (“Insured”), which was a franchisee of L.A. Tan. The Insured had a business owner’s policy from West Bend Mutual Insurance Company (“Insurer”) which provided “Business Liability” coverage for lawsuits involving “Personal Injury” or “Advertising Injury.”
A class-action lawsuit was filed against the Insured, which alleged that the tanning salon violated BIPA by requiring its customers to provide their fingerprints, and then disclosing the customer’s fingerprints to an out-of-state vendor, SunLync. The salon tendered defense of the class-action lawsuit to the Insured pursuant to the language of the business owner’s policy.
The Business Owner’s Policy
The business owner’s policy at issue provided coverage for lawsuits alleging a “Personal Injury,” defined as an “injury, other than ‘bodily injury,’ 6 “Bodily injury” was defined in the policy as “bodily injury, sickness or disease sustained by a person, including death resulting from any of these at any time.”arising out of one or more of the following offenses: . . . Oral or written publication of material that violates a person’s right of privacy.” W. Bend Mut. Ins. Co., 2021 IL 125978, ¶ 8 (emphasis added). Similarly, the policy provided coverage for lawsuits alleging an “Advertising Injury,” defined as an “injury arising out of one or more of the following offenses: . . . Oral or written publication of material that violates a person’s right of privacy.” Id. (emphasis added).
In addition, the policy contained a “violation of statutes” exclusion that stated:
“This insurance does not apply to:
DISTRIBUTION OF MATERIAL IN VIOLATION OF STATUTES
‘Bodily injury’, ‘property damage’, ‘personal injury’ or ‘advertising injury’ arising directly or indirectly out of any action or omission that violates or is alleged to violate:
(1) The Telephone Consumer Protection Act (TCPA) [(47 U.S.C. § 227 (2018))], including any amendment of or addition to such law; or
(2) The CAN-SPAM Act of 2003 [(15 U.S.C. § 7701 (Supp. III 2004))], including any amendment of or addition to such law; or
(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.” Id. at ¶ 9.
Defense Coverage Litigation
The Insurer rejected coverage for the Insured’s defense costs in the underlying BIPA class-action suit and filed a declaratory judgment action denying any duty to defend on the grounds that there was no “personal injury” or “advertising injury” alleged in the class-action. Specifically, the Insurer argued that there was no “publication” of information that violated any person’s right to privacy that would trigger a duty to defend under the business owner’s policy because the Insured only sent its customer’s biometric information to a single third-party vendor rather than to the public at large. Further, the Insurer argued that the violation of statutes exclusion in the policy barred any coverage in this matter. In response, the Insured filed a counterclaim arguing that the Insurer owed a duty to defend under the plain language of the policy.
Following cross-motions for summary judgment, the trial court ruled in the Insured’s favor. The trial court held that the term “publication” in the business owner’s policy “simply means the dissemination of information,” which can be to a single person rather than to the public at large. The trial court also found that the violation of statutes exclusion in the policy was inapplicable because, based on the specific statutes mentioned in the exclusion, the exclusion was only intended to relate to violations of statutes regulating communications, whereas BIPA regulates the collection and use of biometric identifiers and biometric information. The Insurer appealed, and the appellate court affirmed the trial court’s ruling on the same basis. As a result, the Insurer appealed to the Illinois Supreme Court.
Illinois Supreme Court’s Analysis
In determining whether the Insurer’s duty to defend was triggered by the BIPA class-action lawsuit, the Illinois Supreme Court first analyzed whether the Insured’s alleged sharing of its customer’s biometric information with the third-party vendor constituted as a “publication” under the insurance policy. Because “publication” was not defined in the policy, the Illinois Supreme Court analyzed dictionary definitions to define the term, as well as case law and the Restatement (Second) of Torts. Through this analysis, the Illinois Supreme Court found that “the term ‘publication’ has at least two definitions and means both the communication of information to a single party and the communication of information to the public at large.” Id. at ¶ 43. Further, the Illinois Supreme Court found that if there is an ambiguous term in an insurance policy, then the term should be construed broadly against the insurance company. Id. Therefore, the Illinois Supreme Court held that the Insurer’s duty to defend was triggered because sending its customer’s biometric information to a single third party vendor constituted a “publication” of the information; thus, the BIPA class-action alleged a “personal injury” or “advertising injury” under the plain language of the business owner’s policy.
The Illinois Supreme Court next found that the violation of statutes exclusion in the policy did not bar coverage. The Insurer argued the exclusion should apply because its express language barred coverage for lawsuits involving violations of a statute that “prohibits or limits . . . communication or distribution of . . . information,” and BIPA prohibits distributing individual’s personal biometric information. However, the Illinois Supreme Court rejected this argument and found that the first two paragraphs of the violation of statutes exclusion was focused on statutes that regulate communications (i.e. the TCPA and the CAN-SPAM Act), whereas BIPA “does not regulate methods of communication but regulates the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” Id. at ¶ 55 (citing 740 ILCS 14/5(g)). The Illinois Supreme Court additionally noted that “regulating telephone calls, faxes, and e-mails is fundamentally different from regulating the collection, use, storage, and retention of biometric identifiers and information (fingerprints, retina or iris scans, voiceprints, or scans of hand or face geometry).” Id.
Further, the Illinois Supreme Court found that under the doctrine of ejusdem generis, because paragraphs 1 and 2 of the violation of statutes exclusion related to statutes regulating communications, the third paragraph’s catch-all provision must also relate to other statutes that regulate communications. Id. at ¶¶ 55-58. The Illinois Supreme Court then held that “since [BIPA] is not a statute of the same kind as the TCPA and the CAN-SPAM Act and since [BIPA] does not regulate methods of communication, the violation of statutes exclusion does not apply.” Id. at ¶ 58.
As a result, the Illinois Supreme Court affirmed the trial court and appellate court’s rulings that the Insurer owed a duty to defend the Insured under the plain language of the policy.
BIPA class-action lawsuits have the potential to result in substantial losses, as shown by Facebook’s historic $650 million settlement, as well the numerous other recent BIPA settlements. Moreover, hundreds of new BIPA class-action lawsuits are filed every year. Therefore, both insurers and insureds need to be aware that the Illinois Supreme Court has established that insurance companies may owe a duty to defend their insureds against BIPA class-action lawsuits pursuant to the language within their general liability insurance policies. Insurance companies in particular should be aware of the Illinois Supreme Court’s ruling and analyze the language within their own policies to determine their risks with regard to future defense and indemnity payments that may result from potential BIPA class-action lawsuits against their insureds.
 Kwabena Appenteng & Andrew Gray Illinois Legislature Considers a Bill Designed to Slow the Flood of Biometric Privacy Class Actions, JDsupra (March 26, 2021), https://www.jdsupra.com/legalnews/illinois-legislature-considers-a-bill-8258761/
 See Order re Final Approval, Attorney’s Fees and Costs, and Incentive Awards, ECF No. 537, In re Facebook Biometric Information Privacy Litigation, 2021 WL 757025 (N.D. Cal. 2021) (Case No. 1:15-cv-03747) .
Jonathan Bilyk, Judge OKs $25M deal to end IL biometrics class actions vs ADP over worker fingerprint scans, CookCountyRecord (March 1, 2021), https://cookcountyrecord.com/stories/574995201-judge-oks-25m-deal-to-end-il-biometrics-class-actions-vs-adp-over-worker-fingerprint-scans
 See Pl’s Mot. for Settlement, ECF No. 122, In re: Tiktoc, Inc., Consumer Privacy Litigation, MDL No. 2948, (N.D. IL, Feb. 25, 2021), (Case No. 1:20-cv-4699); Minute Entry, ECF No. 158, In re: Tiktoc, Inc., Consumer Privacy Litigation, MDL No. 2948, (N.D. IL, Apr. 19, 2021) (Case No. 1:20-cv-4699).
Illinois General Assembly, https://www.ilga.gov/legislation/BillStatus.asp?DocNum=559&GAID=16&DocTypeID=HB&LegId=128636&SessionID=110&GA=102 (last visited June 21, 2021).
 “Bodily injury” was defined in the policy as “bodily injury, sickness or disease sustained by a person, including death resulting from any of these at any time.”