An insurer must defend a company accused of violating Illinois’ Biometric Privacy Act, but only after the company’s primary policy limits are exhausted, a federal district court ruled.
New York-based Mitsui Sumitomo Insurance USA Inc. issued several policies to Waukegan, Illinois-based Thermoflex Waukegan LLC, an industrial machinery and equipment company, including commercial general liability and deductibles and umbrella policies, according to Thursday’s order by the U.S. District Court in Chicago in Thermoflex Waukegan LLC v. Mitsui Sumitomo Insurance USA Inc.
Gregory Gates sued Thermoflex in Illinois state court, alleging that they violated BIPA by requiring hourly workers to scan their handprints every time they clocked in and out of work, transferring the data to a third party without permission, and failing to provide them with a publicly available policy or identify its retention schedule or procedures. BIPA requires companies to have a publicly available written policy that sets out a retention schedule that governs how long they retain the biometric data they collect and guidelines for its destruction.
After Mitsui refused to defend or indemnify Thermoflex in the lawsuit, both parties filed cross-motions for summary judgment.
Another district judge previously held that Mitsui had no duty to defend or indemnify Thermoflex under its CGL policies and requested separate hearings on whether it had those duties under its excess and umbrella policies.
The district court, with another judge hearing the case, ruled that Mitsui owes Thermoflex a duty to defend the company under its umbrella policy, which provides coverage for damages Thermoflex becomes legally obligated to pay for “personal and advertising injury”; that exceeds its self-insurance or other insurance coverage , with some exceptions.
Discussing the statutory trespass exclusion, the ruling said: “Without plain meaning of the text, or using canons of construction, the exclusion is ambiguous and must be construed in favor of coverage.”
The ruling also said that the umbrella coverage’s data breach exclusion, while limited to the data breach context, must also be construed in favor of coverage.
Thermoflex attorney David B. Goodman, of the Goodman Law Group in Chicago, said in a statement that the ruling “provides a clear analysis of why the statutory violations and employment-related practice exceptions are either inapplicable or ambiguous and do not excuse insurers from providing a defense for BIPA claims.”
Lawyers for the insurance company did not respond to a request for comment.
In December, a federal district court in New York refused to dismiss a putative class-action lawsuit filed under BIPA against fashion designer Louis Vuitton in connection with its website’s “Virtual Try-On” eyewear feature.