Courts Rule on Insurance for Violations of Biometric Privacy Laws

West Bend Mut. v. Krishna

In Krishna, a tanning salon franchisee was named in a class-action lawsuit alleging that it violated BIPA by collecting, using, storing, and disclosing customers' fingerprints without obtaining the customers' written consent. The policyholder sought defense and indemnity under the personal and advertising injury coverage of its CGL policy. The insurer argued, among other things, that the "Violation of Statutes" exclusion in the policy prohibited coverage. The exclusion barred coverage for personal or advertising injury that does the following.

[A]rising directly or indirectly out of any action or omission that violates or is alleged to violate: (1) The Telephone Consumer Protection Act (TCPA) [(47 U.S.C. § 227 (2018))], including any amendment of or addition to such law; or (2) The CAN-SPAM Act of 2003 [(15 U.S.C. § 7701 (Supp. III 2004))], including any amendment of or addition to such law; or (3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating, or distribution of material or information.

— Id. at 52.

In analyzing whether the exclusion applied, the Illinois Supreme Court observed that the issue was whether BIPA was a "statute … other than" the enumerated statutes such that the exclusion could unambiguously apply. In addressing that issue, the court applied a canon of contract interpretation known as ejusdem generis, which provides that, where general words (such as "other than") follow a list of specific things, the general words are held to apply only to things of the same general kind or class as those specifically mentioned.

In that regard, the court noted that "the exclusion is titled 'Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information,'" and the enumerated statutes—the TCPA and CAN-SPAM Act of 2003—both governed methods of communication. Id. at 60. Accordingly, the court held that, under the doctrine of ejusdem generis, the phrase "other than" should be construed to mean "other statutes of the same general kind that regulate methods of communication like the TCPA and the CAN-SPAM Act." Id.

The court found that BIPA, unlike the TCPA and CAN-SPAM Act, regulates the collection, retention, and dissemination of a specific class (i.e., biometric) of information. Thus, the court concluded that "since [BIPA] is not a statute of the same kind as the TCPA and the CAN-SPAM Act and since the [BIPA] does not regulate methods of communication, the violation of statutes exclusion does not apply to the [BIPA]."

Post-Krishna Decisions

Following Krishna, district courts have grappled with whether different variations of the violation of statutes exclusion prohibit coverage. For example, in American Family Mut. Ins. Co., S.I. v. Carnagio Enter., Inc., 2022 WL 952533 (N.D. Ill. Mar. 30, 2022), the court addressed whether an exclusion entitled "Distribution of Material in Violation of Statutes," that was otherwise identical to the exclusion in Krishna, applied to BIPA claims. The insurer argued that it did because the change in title made clear that the "other than" referred to any statute governing the distribution of material.

The court rejected the insurer's argument, finding that, while the title was different, the substance of the exclusion was not, and the phrase "other than" had to be construed with reference to the specific statutes identified in the exclusion (i.e., the TCPA and CAN-SPAM Act). In that regard, the court held that "BIPA is not like the TCPA and the CAN-SPAM Act, because BIPA protects a different kind of privacy and uses a different method to do so." Id. at *7.

In contrast, in Massachusetts Bay Ins. Co. v. Impact Fulfillment Servs. LLC, 2021 WL 4392061 *1 (M.D.N.C. Sept. 24, 2021), a North Carolina District Court held that there was no coverage for BIPA claims under an exclusion titled "Recording and Distribution of Material or Information," which barred coverage for personal and advertising injury that does the following.

[A]rising directly or indirectly out of any action or omission that violates or is alleged to violate: (1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law; (2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law; (3) The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or (4) Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.

— Id. at *2.

In finding for the insurer, the court relied on two district court decisions. In the first, Hartford Cas. Ins. Co. v. Greve, 2017 WL 5557669, at *4 (W.D.N.C. Nov. 17, 2017), the court held that a violation of statutes exclusion identical to the exclusion in Krishna prohibited coverage for a lawsuit arising out of an alleged violation of the Driver's Privacy and Protection Act, 18 U.S.C. § 2725, which limits the distribution of personal information from a motor vehicle record. In that case, the court concluded that "there is no coverage under the Policies when personal or advertising injury arises from the alleged violation a statute that limits the communication or distribution of material or information."

The Greve court did not address the fact that TCPA and CAN-SPAM Act regulate "methods" of communication or that the title of the exclusion expressly references statutes regulating "other methods" of communication. The Massachusetts Bay court recognized, in a footnote, that the reasoning of the court in Greve was inconsistent with Krishna, but rather than address the conflict on the merits, the court simply disregarded Krishna on the basis that it was applying Illinois law, not North Carolina law.

The Massachusetts Bay court also relied on OneBeacon Am. Ins. Co. v. Urban Outfitters, Inc., 21 F. Supp. 3d 426, 440 (E.D. Pa. 2014). In Urban Outfitters, the court addressed a "Recording and Distribution of Material or Information in Violation of Law" exclusion that was identical to the exclusion in Massachusetts Bay. The Urban Outfitters court concluded that the exclusion prohibited coverage for the insured's alleged violation of the Song-Beverly Credit Card Act, which prohibits businesses from requiring personal information from customers as a prerequisite to accepting a credit card payment.

The court did not address whether the "other than" language in the exclusion should be restricted to statutes of the same general kind or class as those specifically listed in the exclusion; instead, the court simply concluded that the exclusion "bars collecting and recording information," which "is consonant with the Song-Beverly prohibition against '[requesting],' '[requiring],' or '[recording]' zip code data as a condition of purchase." Id. at 440.

Relying on these decisions, the Massachusetts Bay court reasoned that BIPA was excluded because the portion of the exclusion barring the "the '[collection]' and 'dissemination' of information, [was] consonant with BIPA's prohibition against collection and disclosure of biometric identifiers and biometric information." Massachusetts Bay Ins. Co., 2021 WL 4392061, at *6.

The court also concluded that, under the canon of ejusdem generis, BIPA was "of the same kind, character, and nature of the enumerated statutes" because BIPA, like the TCPA, CAN-SPAM Act, and FCRA, was intended to protect an individual's "privacy interest." Id. *7. The court also rejected Krishna as inapplicable because it involved "a different exclusion than the one at issue here," implicitly concluding that the addition of the FCRA to the list of enumerated statutes and the addition of the words "collecting" and "recording" were sufficient to bring BIPA within the scope of the exclusion.

However, two more recent decisions from the Northern District of Illinois have repudiated the Massachusetts Bay court's reasoning. First, in Citizens Ins. Co. of Am. v. Thermoflex Waukegan LLC, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022), the district court considered whether an identically worded recording and distribution exclusion prohibited coverage for the policyholder's alleged BIPA violation. Although the court did not cite Massachusetts Bay, it relied on the Krishna court's conclusion that BIPA was enacted to regulate the collection of a particular type of information, whereas the statutes enumerated in the exclusion governed either method of distributing information or, in the case of the FCRA, the use of materials such as background reports. Accordingly, the court found that the exclusion did not apply because "[on] its face, BIPA is not 'of the same kind,' … as the TCPA, the CAN-SPAM Act, or the FCRA...." Id. at *6.

In Citizens Ins. Co. of Am. v. Wynndalco Enter. LLC, 2022 WL 952534, at *1 (N.D. Ill. Mar. 30, 2022), the court directly addressed the Massachusetts Bay court's conclusion that the enumerated statutes in the exclusion all regulated "privacy" and, therefore, were "of a kind" with BIPA. The Wynndalco court began by rejecting the insurer's argument that BIPA was consistent with the enumerated statutes insofar they all regulate "information" because "reading the exclusion in this way would swallow the rule" as "[m]ost statutes 'regulate … information' to some degree" and interpreting the exclusion in such a broad manner would render other provisions illusory. The court then opined that "the Massachusetts Bay court did not grapple with the distinction between the two types of privacy that are implicated in the enumerated statutes—privacy of personal information (as concerns FCRA and FACTA), versus privacy from unwanted communications (as concerns the TCPA and the CAN-SPAM Act)." Id. at *5.

Specifically, the court observed that "[t]he TCPA and the CAN-SPAM Act protect 'privacy' by regulating unauthorized communications that private citizens receive (e.g., telemarketing calls and spam emails)," whereas "the FCRA, FACTA, and BIPA protect 'privacy' in a different sense, by regulating how private entities must handle private information that citizens give away (e.g., credit card numbers and facial scans)." Id. Because the Massachusetts Bay court's analysis did not consider this distinction between the two types of privacy interests contemplated by the enumerated statutes, the Wynndalco court declined to endorse its reasoning and instead held that, since there was no common link between the enumerated statutes, the principle of ejusdem generis could not be used to read the exclusion's "other than" language as applying to BIPA. Instead, the court found that the exclusion was "intractably ambiguous," and, thus, the insurer had not met its burden of showing that the exclusion barred coverage for the underlying action.

Implications of These Rulings

As these recent decisions illustrate, Krishna was not the last word on whether the statutory violation exclusions apply to BIPA claims. Whether a court is willing to apply the exclusions depends on how broadly it considers the "purpose" of the enumerated statutes (i.e., whether it is enough to say that the statutes protect privacy or whether the fact that there are different types of privacy interests must be considered).

The more recent Illinois district court decisions that rejected the Massachusetts Bay court's reasoning suggest that, at least in Illinois, courts are not willing to provide the exclusion with an expansive construction. Whether this holds true in other states, particularly as more states enact biometric statutes patterned after BIPA, remains to be seen.