On May 20, 2021, the Supreme Court of Illinois upheld the state's appeal decision and found that the West Bend Mutual Insurance Company must defend its insured, a solarium, against a class action lawsuit alleging violation of the Biometric Information Privacy Act (BIPA) under two business owners' liability policies.
The appellant in the class action bought a membership from the solarium. As part of the use of the salon's services, the plaintiff was obliged to provide the salon with his fingerprints for use in the salon's customer registration system. Solarium then provided that information to its third-party hosting provider. Specifically, the plaintiff claimed:
Krishna Tan systematically and automatically collected, used, stored and disclosed his [customers’] biometric identifiers or biometric data without first obtaining the written version required by 740 ILCS 1
West Bend issued two business owners' liability policies covering the periods December 1, 2014 to December 1, 2015 and December 1, 2015 to December 1, 2016. The policy provided typical coverage for "bodily injury", "" property damage, "" personal injury "and" advertising damage. "In terms of" personal injury "policy coverage, they provided" personal injury "coverage caused by a crime arising out of your business, excluding advertising, publishing, broadcasting or broadcast made by or for you." The policy defined "personal injury" as "injury other than" bodily injury "resulting from one or more of the following offenses:. . . e. Oral or written publications of material that violate a person's right to privacy. "
The policies also include certain exceptions, including an exclusion that blocks coverage of" Personal Injury "or" Advertising Injury ". . . (2) Occurs through oral or written publication of material whose first publication took place before the beginning of the insurance period; [and] (3) Occurs due to intentional violation of a criminal law or ordinances committed by or with the consent of the insured. "
Finally, the policy included exceptions for violations of" The Consumer Protection Act (TCPA) [(47 U.S.C. § 227 (2018))] including amendments to or additions to such laws; (2) CAN-SPAM Act of 2003 [15 U.S.C. § 7701 (Supp. III 2004))] including any amendments or additions to such law; or (3) All statutes, ordinances or regulations, other than the TCPA or CAN-SPAM Act of 2003, which prohibit or restrict the transmission, transmission, communication or distribution of materials or information.
The insured tendered class action. lawsuit to West Bend seeking defense and compensation against the claims. West Bend agreed to defend the insured under a reservation of rights, but argued that the lawsuit was unlikely to be covered by its policy. West Bend then filed a declaratory court application, arguing that the class action was not covered by the policy for personal injury or advertising damage because the trial did not claim to "publish material that violates a person's right to privacy." The policyholder counteracted and argued that its alleged sharing of biometric information with the third party provider was sufficient to constitute "publication" because the usual meaning of publication involves the dissemination of information to a single party.
The trial court, the middle court and, finally, the Illinois Supreme Court, agreed with the insured. In making its decision, the court relied on the general principles for the interpretation of insurance contracts, which require that the terms of an insurance be given its simple and ordinary meaning and interpreted in favor of the insured where they are susceptible to more than a reasonable meaning. The policies did not define the term "publication". Looking at its simple and ordinary meaning, the Court held that publication could mean the distribution of information to the public or a single party. Consequently, the court found that the class action potentially concerned a personal injury or advertising damage, that there was potentially a disclosure of personal information and finally that there were allegations that the insured violated the plaintiff's right to privacy.
The Court also concluded that the exceptions did not apply. The statutes referred to in the policy regulate certain communication methods, such as telephone calls and faxes. And although the policy also contained a provision to capture everything excluding coverage under statutes "other than" the two listed, the court refused to give broad introduction to statutes other than those included in the policy. Relying on the doctrine of ejusdem generis which means the same general kind, the Court found that BIPA was not related to the statutes cited, which were limited to the regulation of telephone and fax, and thus the exemption provision would not be extended to include a charter of a type not explicitly included in the policy. West Bend therefore had an obligation to defend the insured.
As the use of biometric information and its corresponding technology continues to grow, so does the risk of liability for anyone who uses or has that information. Policyholders should therefore be aware that new and emerging risks, such as those associated with the use of biometric information, often fit the broad outlines of their liability insurance policies. Therefore, as always, policyholders should read their insurance policies carefully or consult an experienced insurance coverage adviser to ensure that valuable coverages are not overlooked.