On March 1, 2022, the Northern District of Illinois issued an opinion in Citizens Insur. Co of Am., & Hanover Insur. Co. v. Thermoflex Waukegan, LLC, 20-CV-05980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022) addressing whether insurance coverage existed for an employer with respect to its employee’s claims of violations of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq.
In Thermoflex, an employee filed a class-action lawsuit against its employer in Illinois state court, alleging that his employer collected its employees’ handprint data in violation of BIPA. The employer collected the handprint data for purposes of authentication and timekeeping. The employer’s insurers denied coverage for the BIPA class action, relying on the Employment-Related Practices (“ERP”), Recording and Distribution and Access or Disclosure Exclusions. The insurers filed declaratory action in the Northern District of Illinois seeking confirmation that it had no duty to defend its insured for the BIPA class action.
The ERP Exclusion at issue precluded coverage for personal and advertising injuries that extend to “[e]mployment-related practices, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution directed at that person.” The insurers argued no coverage existed under the ERP Exclusion and relied on a recent Northern District of Illinois opinion in Am. Family Mut. Ins. Co., S.I. v. Caremel, Inc., 20 C 637, 2020 WL 8093501 (N.D. Ill. Jan. 7, 2022). In Am. Family, which involved the collection of fingerprints, the court found ERP Exclusion applied, noting the BIPA violation was “of the same nature” as practices referred to in ERP exclusion because like BIPA, “[e]ach of ‘coercion, demotion, evaluation, reassignment, discipline, defamation, harassment [and] humiliation,’ reflect a practice that can cause an individual harm to an employee.”
However, the Thermoflex court disagreed with the Am. Family decision, explaining that “reading the exclusions as barring any employment-related practices that ‘can’ cause harm to an employee would potentially preclude coverage for any claim against an employer.” The court held that such a reading is contrary to the rule that policy exclusions must be narrowly construed. The court found it “unclear” whether the ERP Exclusion at issue should be viewed in the same way as in Am. Family, arguably differentiating between “fingerprint” and “handprint” collection, and ultimately held that the insurers could not rely on this exclusion to absolve their duty to defend.
The Thermoflex court similarly rejected application of the Recording and Distribution Exclusion as a basis to deny coverage. The Recording and Distribution Exclusion at issue precluded coverage for personal injuries arising directly or indirectly out of any action or omission that violates or is alleged to violate: (1) Telephone Consumer Protection Act (“TCPA”), (2) CAN-SPAM Act of 2003, (3) Fair Credit Reporting Act (“FCRA”), or (4) “any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” The court noted that the Illinois Supreme Court in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 WL 2005464 (Ill. May 21, 2021) already analyzed a similar exclusion. In that case, the Illinois Supreme Court explained that this exclusion did not apply to preclude coverage for a BIPA claim because BIPA is not the “same kind” as the TCPA and CAN-SPAM Act, and it also does not regulate methods of communications like the other enumerated statutes. The district court held that it was “[a]t best” ambiguous whether BIPA was sufficiently similar to those other statutes, and “at worst” BIPA is a different kind of statute from the other statutes. Because the court viewed this exclusion ambiguous, it held that the policies must be construed in favor of finding coverage for the insured.
The court also rejected the application of the Access or Disclosure Exclusion. The Access or Disclosure Exclusion at issue precluded “‘[p]ersonal and advertising injury’ arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” The court held that handprints “do not share the attributes . . . of privacy or sensitivity.” BIPA expressly distinguishes between “biometric identifiers” and “confidential and sensitive information.” The court noted that “none of the examples of biometric identifiers listed in the statutory definition are included in the definition of confidential and sensitive information.” The statutory text also makes clear that BIPA regards “[b]iometrics [as] unlike other unique identifiers that are used to access finances or other sensitive information.” Thus, the court held that it was at best unclear whether BIPA treats handprints as “confidential and sensitive information.” For this reason, the court held that the exclusion did not apply.
Although an unpublished opinion, this finding is significant in that it shows a departure from an earlier ruling concerning the ERP Exclusion. The court did not agree with the rationale in Am. Family regarding the applicability of the ERP Exclusion in a similar BIPA lawsuit. However, it did not go as far as to reject Am. Family. The court simply did not believe the ERP Exclusion at issue should be viewed in the same way as in Am. Family because it involved “handprints” and not “fingerprints.” The decision further cuts against an insurance company’s ability to rely on the Access or Disclosure Exclusion and Recording and Distribution Exclusion to preclude coverage for a BIPA lawsuit (Am. Family also held that these exclusions did not apply to preclude coverage).
The post Northern District Injects Confusion as to Whether Insurers Can Rely on the Employment-Related Practices Exclusion to Preclude Coverage for an Employee BIPA Suit appeared first on Privacy Risk Report.