On May 20, 2021, the Supreme Court of Illinois upheld the state appellate decision finding that that West Bend Mutual Insurance Company must defend its insured, a tanning salon, against a class-action lawsuit claiming violation of the Biometric Information Privacy Act (BIPA) under two business owners’ liability policies.
The plaintiff in the class action lawsuit purchased a membership from the tanning salon. As part of the use of the salon’s services, the plaintiff was required to provide the salon with her fingerprints for use in the salon’s client registration system. The tanning salon then provided that information to its third-party vendor for hosting. Specifically, the plaintiff alleged:
Krishna Tan systematically and automatically collected, used, stored, and disclosed their [customers’] biometric identifiers or biometric information without first obtaining the written release required by 740 ILCS 14/15(b)(3). Specifically, Krishna Tan systematically disclosed Plaintiff’s and the Class’s biometric identifiers and biometric information to SunLync, an out-of-state . . . vendor.
West Bend issued two business owners’ liability policies covering the periods of December 1, 2014 through December 1, 2015 and December 1, 2015 through December 1, 2016. The policies provided typical coverages for “bodily injury,” “property damage,” “personal injury” and “advertising injury.” With respect to the policies’ “personal injury” coverage, they afforded coverage for “‘Personal injury’ caused by an offense arising out of your business, excluding advertising, publishing, broadcasting or telecasting done by or for you.” The policies defined “personal injury” as “injury, other than ‘bodily injury’, arising out of one or more of the following offenses: . . . e. Oral or written publications of material that violates a person’s right of privacy.”
The policies also contain certain exclusions, including an exclusion barring coverage for “‘Personal injury’ or ‘advertising injury’ . . . (2) Arising out of oral or written publication of material whose first publication took place before the beginning of the policy period; [and] (3) Arising out of the willful violation of a penal statute or ordinance committed by or with the consent of the insured.”
Finally, the policies included exclusions for violations of “The Telephone Consumer Protection Act (TCPA) [(47 U.S.C. § 227 (2018))], including any amendment of or addition to such law; (2) The CAN-SPAM Act of 2003 [15 U.S.C. § 7701 (Supp. III 2004))], including any amendment of or addition to such law; or (3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.”
The insured tendered the class action lawsuit to West Bend seeking defense and indemnity against the claims. West Bend agreed to defend the insured, pursuant to a reservation of rights, but claimed that the lawsuit was likely not covered by its policies. West Bend then filed a declaratory judgment action, alleging that the class action lawsuit did not come within the policies’ coverages for personal or advertising injury because the lawsuit did not allege “publication of material that violates a person’s right of privacy.” The policyholder countered, contending that its alleged sharing of biometric information with the third-party vendor were sufficient to constitute “publication” since the ordinary meaning of publication includes dissemination of information to a single party.
The trial court, intermediate appellate court and, ultimately, the Illinois Supreme Court, agreed with the insured. In reaching its decision, the court relied upon the general principles of insurance contract interpretation, which require that a policy’s terms are afforded their plain and ordinary meaning and interpreted in favor of the insured where susceptible to more than one reasonable meaning. The policies did not define the term “publication.” When looking to its plain and ordinary meaning, the court determined that publication could mean distribution of information to the public or a single party. Accordingly, the court found that the class action lawsuit potentially alleges a personal or advertising injury, that there was potentially a publication of personal information, and finally that there were allegations that the insured violated the plaintiff’s right to privacy.
The court also concluded that the exclusions did not apply. The statutes referenced in the policy regulate certain methods of communications, such as telephone calls and faxes. And, while the policies also included a catch-all provision excluding coverage under statutes “other than” the two listed, the court refused to afford broad inclusion to statutes other than those of the type included in the policies. Relying upon the doctrine of ejusdem generis, meaning same general kind, the court found that BIPA was not related to the statutes listed, which were limited to regulation of telephone calls and faxes, and thus the exclusionary provision would not be expanded to include a statute of a type not expressly included in the policies. West Bend therefore had a duty to defend the insured.
As the use of biometric information and its corresponding technology continues to grow, so does the risk of liability of all who use or possess that information. Policyholders should remain mindful, therefore, that new and emerging risks, such as those associated with the use of biometric information, often fit the broad contours of their liability insurance policies. As always, therefore, when facing any claim or lawsuit, policyholders should read their insurance policies carefully or consult with experienced insurance coverage counsel to ensure that valuable coverages are not overlooked.