There has been a recent push in a number of states to enact laws governing the
collection and use of biometric identifiers and information. As this type of
legislation becomes more common, it is sure to bring an increase in lawsuits
against companies for violations and, in turn, disputes over insurance
coverage.
Acknowledgment
The author would like to acknowledge Adam Augustyn, an
associate at Lippes Mathias, for his assistance with this article.
One potential source of coverage is the commercial general liability (CGL)
policy's personal and advertising injury coverage part. Several recent
court decisions have addressed whether an exclusion in the personal and
advertising injury coverage part for violations of certain laws bars coverage
for claims under the Illinois Biometric Information Privacy Act (BIPA), which
provides a private cause of action for the collection, retention, disclosure,
or dissemination of a person's biometric identifiers and information
without the person's consent. These courts have reached different results,
even when dealing with the same, or similar, policy language.
The seminal case on coverage for BIPA claims is West Bend Mut. Ins. Co.
v. Krishna Schaumburg Tan, Inc., 183 N.E.3d 47 (Ill. 2021)
("Krishna"). In Krishna, the Illinois Supreme Court
concluded that an exclusion for a violation of certain statutes does not
prohibit an insured from obtaining defense coverage for alleged violations of
BIPA. Since that decision, however, courts have reached different conclusions
on whether a slightly different variation of the exclusion applies to BIPA
claims.
West Bend Mut. v. Krishna
In Krishna, a tanning salon franchisee was named in a class-action
lawsuit alleging that it violated BIPA by collecting, using, storing, and
disclosing customers' fingerprints without obtaining the customers'
written consent. The policyholder sought defense and indemnity under the
personal and advertising injury coverage of its CGL policy. The insurer argued,
among other things, that the "Violation of Statutes" exclusion in the
policy prohibited coverage. The exclusion barred coverage for personal or
advertising injury that does the following.
[A]rising directly or indirectly out of any action or omission that
violates or is alleged to violate: (1) The Telephone Consumer Protection Act
(TCPA) [(47 U.S.C. § 227 (2018))], including any amendment of or addition to
such law; or (2) The CAN-SPAM Act of 2003 [(15 U.S.C. § 7701 (Supp. III
2004))], including any amendment of or addition to such law; or (3) Any
statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of
2003, that prohibits or limits the sending, transmitting, communicating, or
distribution of material or information.
In analyzing whether the exclusion applied, the Illinois Supreme Court
observed that the issue was whether BIPA was a "statute … other
than" the enumerated statutes such that the exclusion could
unambiguously apply. In addressing that issue, the court applied a canon of
contract interpretation known as ejusdem generis, which provides that,
where general words (such as "other than") follow a list of specific
things, the general words are held to apply only to things of the same general
kind or class as those specifically mentioned.
In that regard, the court noted that "the exclusion is titled
'Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other
Methods of Sending Material or Information,'" and the enumerated
statutes—the TCPA and CAN-SPAM Act of 2003—both governed methods of
communication. Id. at 60. Accordingly, the court held that, under the
doctrine of ejusdem generis, the phrase "other
than" should be construed to mean "other statutes of the same general
kind that regulate methods of communication like the TCPA and the CAN-SPAM
Act." Id.
The court found that BIPA, unlike the TCPA and CAN-SPAM Act, regulates the
collection, retention, and dissemination of a specific class (i.e., biometric)
of information. Thus, the court concluded that "since [BIPA] is not a
statute of the same kind as the TCPA and the CAN-SPAM Act and since the [BIPA]
does not regulate methods of communication, the violation of statutes exclusion
does not apply to the [BIPA]."
Post-Krishna Decisions
Following Krishna, district courts have grappled with whether
different variations of the violation of statutes exclusion prohibit coverage.
For example, in American Family Mut. Ins. Co., S.I. v. Carnagio Enter.,
Inc., 2022 WL 952533 (N.D. Ill. Mar. 30, 2022), the court addressed
whether an exclusion entitled "Distribution of Material in Violation of
Statutes," that was otherwise identical to the exclusion in
Krishna, applied to BIPA claims. The insurer argued that it did
because the change in title made clear that the "other than" referred
to any statute governing the distribution of material.
The court rejected the insurer's argument, finding that, while the title
was different, the substance of the exclusion was not, and the phrase
"other than" had to be construed with reference to the specific
statutes identified in the exclusion (i.e., the TCPA and CAN-SPAM Act). In that
regard, the court held that "BIPA is not like the TCPA and the CAN-SPAM
Act, because BIPA protects a different kind of privacy and uses a different
method to do so." Id. at *7.
In contrast, in Massachusetts Bay Ins. Co. v. Impact Fulfillment Servs.
LLC, 2021 WL 4392061 *1 (M.D.N.C. Sept. 24, 2021), a North Carolina
District Court held that there was no coverage for BIPA claims under an
exclusion titled "Recording and Distribution of Material or
Information," which barred coverage for personal and advertising injury
that does the following.
[A]rising directly or indirectly out of any action or omission that
violates or is alleged to violate: (1) The Telephone Consumer Protection Act
(TCPA), including any amendment of or addition to such law; (2) The CAN-SPAM
Act of 2003, including any amendment of or addition to such law; (3) The Fair
Credit Reporting Act (FCRA), and any amendment of or addition to such law,
including the Fair and Accurate Credit Transactions Act (FACTA); or (4) Any
federal, state or local statute, ordinance or regulation, other than the
TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that
addresses, prohibits, or limits the printing, dissemination, disposal,
collecting, recording, sending, transmitting, communicating or distribution
of material or information.
In finding for the insurer, the court relied on two district court
decisions. In the first, Hartford Cas. Ins. Co. v. Greve, 2017 WL
5557669, at *4 (W.D.N.C. Nov. 17, 2017), the court held that a violation of
statutes exclusion identical to the exclusion in Krishna prohibited
coverage for a lawsuit arising out of an alleged violation of the Driver's
Privacy and Protection Act, 18 U.S.C. § 2725, which limits the distribution of
personal information from a motor vehicle record. In that case, the court
concluded that "there is no coverage under the Policies when personal or
advertising injury arises from the alleged violation a statute that limits the
communication or distribution of material or information."
The Greve court did not address the fact that TCPA and CAN-SPAM Act
regulate "methods" of communication or that the title of the
exclusion expressly references statutes regulating "other methods" of
communication. The Massachusetts Bay court recognized, in a footnote,
that the reasoning of the court in Greve was inconsistent with
Krishna, but rather than address the conflict on the merits, the court
simply disregarded Krishna on the basis that it was applying Illinois
law, not North Carolina law.
The Massachusetts Bay court also relied on OneBeacon Am. Ins.
Co. v. Urban Outfitters, Inc., 21 F. Supp. 3d 426, 440 (E.D. Pa. 2014). In
Urban Outfitters, the court addressed a "Recording and
Distribution of Material or Information in Violation of Law" exclusion
that was identical to the exclusion in Massachusetts Bay. The
Urban Outfitters court concluded that the exclusion prohibited
coverage for the insured's alleged violation of the Song-Beverly Credit
Card Act, which prohibits businesses from requiring personal information from
customers as a prerequisite to accepting a credit card payment.
The court did not address whether the "other than" language in the
exclusion should be restricted to statutes of the same general kind or class as
those specifically listed in the exclusion; instead, the court simply concluded
that the exclusion "bars collecting and recording information," which
"is consonant with the Song-Beverly prohibition against
'[requesting],' '[requiring],' or '[recording]' zip
code data as a condition of purchase." Id. at 440.
Relying on these decisions, the Massachusetts Bay court reasoned that BIPA
was excluded because the portion of the exclusion barring the "the
'[collection]' and 'dissemination' of information, [was]
consonant with BIPA's prohibition against collection and disclosure of
biometric identifiers and biometric information." Massachusetts Bay
Ins. Co., 2021 WL 4392061, at *6.
The court also concluded that, under the canon of ejusdem generis,
BIPA was "of the same kind, character, and nature of the enumerated
statutes" because BIPA, like the TCPA, CAN-SPAM Act, and FCRA, was
intended to protect an individual's "privacy interest."
Id. *7. The court also rejected Krishna as inapplicable
because it involved "a different exclusion than the one at issue
here," implicitly concluding that the addition of the FCRA to the list of
enumerated statutes and the addition of the words "collecting" and
"recording" were sufficient to bring BIPA within the scope of the
exclusion.
However, two more recent decisions from the Northern District of Illinois
have repudiated the Massachusetts Bay court's reasoning. First, in
Citizens Ins. Co. of Am. v. Thermoflex Waukegan LLC, 2022 WL 602534
(N.D. Ill. Mar. 1, 2022), the district court considered whether an identically
worded recording and distribution exclusion prohibited coverage for the
policyholder's alleged BIPA violation. Although the court did not cite
Massachusetts Bay, it relied on the Krishna court's
conclusion that BIPA was enacted to regulate the collection of a particular
type of information, whereas the statutes enumerated in the exclusion governed
either method of distributing information or, in the case of the FCRA, the use
of materials such as background reports. Accordingly, the court found that the
exclusion did not apply because "[on] its face, BIPA is not 'of the
same kind,' … as the TCPA, the CAN-SPAM Act, or the FCRA...."
Id. at *6.
In Citizens Ins. Co. of Am. v. Wynndalco Enter. LLC, 2022 WL
952534, at *1 (N.D. Ill. Mar. 30, 2022), the court directly addressed the
Massachusetts Bay court's conclusion that the enumerated statutes
in the exclusion all regulated "privacy" and, therefore, were
"of a kind" with BIPA. The Wynndalco court began by
rejecting the insurer's argument that BIPA was consistent with the
enumerated statutes insofar they all regulate "information" because
"reading the exclusion in this way would swallow the rule" as
"[m]ost statutes 'regulate … information' to some degree" and
interpreting the exclusion in such a broad manner would render other provisions
illusory. The court then opined that "the Massachusetts Bay court
did not grapple with the distinction between the two types of privacy that are
implicated in the enumerated statutes—privacy of personal information (as
concerns FCRA and FACTA), versus privacy from unwanted communications (as
concerns the TCPA and the CAN-SPAM Act)." Id. at *5.
Specifically, the court observed that "[t]he TCPA and the CAN-SPAM Act
protect 'privacy' by regulating unauthorized communications that
private citizens receive (e.g., telemarketing calls and spam emails),"
whereas "the FCRA, FACTA, and BIPA protect 'privacy' in a
different sense, by regulating how private entities must handle private
information that citizens give away (e.g., credit card numbers and facial
scans)." Id. Because the Massachusetts Bay court's
analysis did not consider this distinction between the two types of privacy
interests contemplated by the enumerated statutes, the Wynndalco court
declined to endorse its reasoning and instead held that, since there was no
common link between the enumerated statutes, the principle of ejusdem
generis could not be used to read the exclusion's "other
than" language as applying to BIPA. Instead, the court found that the
exclusion was "intractably ambiguous," and, thus, the insurer had not
met its burden of showing that the exclusion barred coverage for the underlying
action.
Implications of These Rulings
As these recent decisions illustrate, Krishna was not the last word
on whether the statutory violation exclusions apply to BIPA claims. Whether a
court is willing to apply the exclusions depends on how broadly it considers
the "purpose" of the enumerated statutes (i.e., whether it is enough
to say that the statutes protect privacy or whether the fact that there are
different types of privacy interests must be considered).
The more recent Illinois district court decisions that rejected the
Massachusetts Bay court's reasoning suggest that, at least in
Illinois, courts are not willing to provide the exclusion with an expansive
construction. Whether this holds true in other states, particularly as more
states enact biometric statutes patterned after BIPA, remains to be seen.