On March 8, 2022, the Northern District of Illinois issued an opinion in State Auto. Mut. Insur. Co. v. Tony’s Finer Foods Enter., Inc., et al., 20-CV-6199, 2022 WL 683688 (N.D. Ill. Mar. 8, 2022) again addressing whether insurance coverage existed for an employer with respect to its employee’s claims of violations of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq. The Northern District of Illinois previously addressed similar issues but rendered differing opinions in Am. Family Mut. Ins. Co., S.I. v. Caremel, Inc., 20 C 637, 2020 WL 8093501 (N.D. Ill. Jan. 7, 2022) and Citizens Insur. Co of Am., & Hanover Insur. Co. v. Thermoflex Waukegan, LLC, 20-CV-05980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022).

In Tony’s, a former employee filed a class action against her former employer in Illinois state court in 2018, alleging that they collected her fingerprints in violation of BIPA. Her fingerprints were taken when she was hired and were subsequently used to clock in and out of work. Her employer notified their broker of the BIPA class action, but their broker did not immediately notify the insurer until approximately a year later. Relying on the Employment-Related Practices (“ERP”) and late notice, the insurer denied coverage and filed a declaratory action in the Northern District of Illinois seeking confirmation that it had no duty to defend its insured for the BIPA class action.

The ERP Exclusion at issue precluded coverage for “personal and advertising injury to (1) A person arising out of any: (a) Refusal to employ that person; (b) Termination of that person’s employment; or (c) Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed at that person; . . . .” In interpreting the ERP Exclusion, the court held that “[w]hen there is a list, the individual components of the list should be read together. That is, the collection of words helps to inform the meaning of any individual word.” Here, the court held that the first two subparts dealt with the “comings and goings of employees.” Based on the context of those two subparts, the court concluded that the third subpart only applies to adverse employment actions and not just any claims that happen at work. The court reasoned that “[t]he structure of the language suggests that it requires a change in employment status or other negative treatment directed at the employee.” The court further explains that the phrase “such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed at that person” suggests “a change in an employee’s standing, or targeted mistreatment of a specific person – that is, conduct “directed at that person.” Based on this interpretation, the court concluded that using an employee’s fingerprint to clock in and out of work was an “awkward fit” under this provision. Thus, the court concluded that the ERP Exclusion did not apply to preclude coverage.

With respect to the insurer’s second argument, the court held that whether the insured provided timely notice to its insurer is a question of fact for the jury to decide. The court noted that the insurer did not receive notice of the BIPA class action until approximately a year later; however, the insured argued that the insurer did not suffer any prejudice because the underlying class action has stayed for most of that time. The insurer also argued that the insured was sophisticated enough to act promptly to notify its insurer. The insured on the other hand argued that it acted with diligence because it acted promptly to reach out to its broker when it learned of the Illinois Supreme Court’s ruling in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978. The court concluded that a jury needed to decide whether the insured provided late notice.

Unlike Citizens, Tony’s did not state that it disagreed with the rationale in Am. Family regarding the applicability of the ERP Exclusion in a similar BIPA lawsuit. Rather, it only noted that Am. Family and Citizens came to different conclusions regarding the applicability of the ERP Exclusion in a BIPA lawsuit. However, given the ruling in Tony’s, an insurer may not be able to rely on the ERP Exclusion to preclude coverage for a BIPA lawsuit filed by an employee.

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post Split Emerging Within Northern District of Illinois Concerning Application of ERP Exclusion in BIPA Lawsuits appeared first on Privacy Risk Report.

On March 1, 2022, the Northern District of Illinois issued an opinion in Citizens Insur. Co of Am., & Hanover Insur. Co. v. Thermoflex Waukegan, LLC, 20-CV-05980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022) addressing whether insurance coverage existed for an employer with respect to its employee’s claims of violations of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq.

In Thermoflex, an employee filed a class-action lawsuit against its employer in Illinois state court, alleging that his employer collected its employees’ handprint data in violation of BIPA. The employer collected the handprint data for purposes of authentication and timekeeping. The employer’s insurers denied coverage for the BIPA class action, relying on the Employment-Related Practices (“ERP”), Recording and Distribution and Access or Disclosure Exclusions. The insurers filed declaratory action in the Northern District of Illinois seeking confirmation that it had no duty to defend its insured for the BIPA class action.

The ERP Exclusion at issue precluded coverage for personal and advertising injuries that extend to “[e]mployment-related practices, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution directed at that person.” The insurers argued no coverage existed under the ERP Exclusion and relied on a recent Northern District of Illinois opinion in Am. Family Mut. Ins. Co., S.I. v. Caremel, Inc., 20 C 637, 2020 WL 8093501 (N.D. Ill. Jan. 7, 2022). In Am. Family, which involved the collection of fingerprints, the court found ERP Exclusion applied, noting the BIPA violation was “of the same nature” as practices referred to in ERP exclusion because like BIPA, “[e]ach of ‘coercion, demotion, evaluation, reassignment, discipline, defamation, harassment [and] humiliation,’ reflect a practice that can cause an individual harm to an employee.”

However, the Thermoflex court disagreed with the Am. Family decision, explaining that “reading the exclusions as barring any employment-related practices that ‘can’ cause harm to an employee would potentially preclude coverage for any claim against an employer.” The court held that such a reading is contrary to the rule that policy exclusions must be narrowly construed. The court found it “unclear” whether the ERP Exclusion at issue should be viewed in the same way as in Am. Family, arguably differentiating between “fingerprint” and “handprint” collection, and ultimately held that the insurers could not rely on this exclusion to absolve their duty to defend.

The Thermoflex court similarly rejected application of the Recording and Distribution Exclusion as a basis to deny coverage. The Recording and Distribution Exclusion at issue precluded coverage for personal injuries arising directly or indirectly out of any action or omission that violates or is alleged to violate: (1) Telephone Consumer Protection Act (“TCPA”), (2) CAN-SPAM Act of 2003, (3) Fair Credit Reporting Act (“FCRA”), or (4) “any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” The court noted that the Illinois Supreme Court in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 WL 2005464 (Ill. May 21, 2021) already analyzed a similar exclusion. In that case, the Illinois Supreme Court explained that this exclusion did not apply to preclude coverage for a BIPA claim because BIPA is not the “same kind” as the TCPA and CAN-SPAM Act, and it also does not regulate methods of communications like the other enumerated statutes. The district court held that it was “[a]t best” ambiguous whether BIPA was sufficiently similar to those other statutes, and “at worst” BIPA is a different kind of statute from the other statutes. Because the court viewed this exclusion ambiguous, it held that the policies must be construed in favor of finding coverage for the insured.

The court also rejected the application of the Access or Disclosure Exclusion.  The Access or Disclosure Exclusion at issue precluded “‘[p]ersonal and advertising injury’ arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” The court held that handprints “do not share the attributes . . . of privacy or sensitivity.” BIPA expressly distinguishes between “biometric identifiers” and “confidential and sensitive information.” The court noted that “none of the examples of biometric identifiers listed in the statutory definition are included in the definition of confidential and sensitive information.” The statutory text also makes clear that BIPA regards “[b]iometrics [as] unlike other unique identifiers that are used to access finances or other sensitive information.” Thus, the court held that it was at best unclear whether BIPA treats handprints as “confidential and sensitive information.” For this reason, the court held that the exclusion did not apply.

Although an unpublished opinion, this finding is significant in that it shows a departure from an earlier ruling concerning the ERP Exclusion. The court did not agree with the rationale in Am. Family regarding the applicability of the ERP Exclusion in a similar BIPA lawsuit. However, it did not go as far as to reject Am. Family. The court simply did not believe the ERP Exclusion at issue should be viewed in the same way as in Am. Family because it involved “handprints” and not “fingerprints.”  The decision further cuts against an insurance company’s ability to rely on the Access or Disclosure Exclusion and Recording and Distribution Exclusion to preclude coverage for a BIPA lawsuit (Am. Family also held that these exclusions did not apply to preclude coverage).

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post Northern District Injects Confusion as to Whether Insurers Can Rely on the Employment-Related Practices Exclusion to Preclude Coverage for an Employee BIPA Suit appeared first on Privacy Risk Report.

In McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, the Illinois Supreme Court issued an opinion finding the exclusive remedy provisions of the Illinois Workers’ Compensation Act (“Compensation Act”) 820 ILCS 305/1 et seq. does not bar an employee’s claim for statutory damages under the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq.

An employee filed a class-action lawsuit against her employer for violating BIPA. Her employer required its employees to use a biometric timekeeping system in order to scan an employee’s fingerprint for purposes of authenticating an employee and tracking their time at work. The employee alleged that her employer never obtained her written consent to store her biometric information or informed her how the information will be stored.

820 ILCS 305/5 and 11 of the Compensation Act are the exclusive remedy provisions by which an employee may seek recovery against their employer for work-related injuries. However, an employee can escape the exclusivity provisions if the employee can show that the injury: (1) was not accidental; (2) did not arise from their employment; (3) did not occur during the course of employment; or (4) was not compensable under the Compensation Act.  At issue was the fourth exception.

The Court held that whether the exclusivity provision applied depends on the type of injury the employee sustained. The Court noted the purpose of the Compensation Act is to provide financial protection for injured workers until they can return to work, whereas the purpose of BIPA is to protect a person’s biometric information. In comparing the two statutes’ purposes, the Court found that “[t]he personal and societal injuries caused by violating the Privacy Act’s prophylactic requirements are different in nature and scope from the physical and psychological work injuries that are compensable under the Compensation Act.” Accordingly, the Court concluded that the BIPA violation did not categorically fall under the purview of the Compensation Act and therefore is not compensable under the Compensation Act. For this reason, the Court held that the employee may pursue her BIPA claim against her employer in the circuit court rather than through the Workers’ Compensation Commission.

Although not an insurance coverage case, this finding may have important implications for insurers regarding coverage for BIPA violations. Here, the Illinois Supreme Court’s held that an employee’s BIPA claim does not fall within the purview of the Compensation Act. However, this does not necessarily mean that an insurer will not be able to disclaim coverage under the Employment Related Practices Exclusion. As we discussed in our previous article regarding the finding from the Northern District of Illinois that the Employment-Related Practices Exclusion applies to BIPA claims.

If you want to read more about BIPA, please check out the below articles:

• Illinois Leaves Its “Thumbprint” On American Privacy Law As The Illinois Supreme Court Finds An Individual Can Bring An Action Under the Biometric Act Without Being Involved In A Breach

• Illinois’ Biometric Information Protection Act Gets More Tangled With Employment Law

• Seventh Circuit Court Of Appeals Reopens Doors to Federal Courts For BIPA Plaintiffs

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post The Illinois Workers’ Compensation Act Does Not Bar An Employee’s Claim Under BIPA appeared first on Privacy Risk Report.

On January 7, 2022, the Northern District issued an opinion regarding whether the claims contained in a lawsuit alleging the violation of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq., were covered under a Businessowners’ Liability Policy. An employee of the insured filed a class action complaint in Kankakee County, Illinois, against the insured for violating BIPA. The insured required its employees to use a biometric time clock system to record their time. This system required the insured’s employees to scan their fingerprints to clock in and clock out. This information was then disclosed to the insured’s time-keeping vendor. It is alleged the insured did not obtain the employee’s consent to disclose the biometric information to its vendor in a violation of BIPA.

The insurer denied coverage under its policy, relying on three exclusions: (1) Access or Disclosure Exclusion; (2) Violation of Statute Exclusion; and (3) ERP Exclusion. The insurer then filed a complaint for declaratory judgment against its insured asserting that it had no duty to defend its insured for the BIPA lawsuit.

The Access or Disclosure Exclusion at issue precluded coverage “for personal and advertising injury . . . arising out of any access to or disclosure of any person’s . . . confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” In rejecting its application, the court determined that to include fingerprints as “health information” would “stretch the definition of health information to include a physical characteristic that has nothing to do with the state of health of an individual.” For this reason, the court held that the Access or Disclosure Exclusion did not apply to preclude coverage.

The Violation of Statute Exclusion at issue precluded coverage for “access or disclosure of confidential or personal information and data related to liability.” The court noted that this exclusion was nearly identical to the exclusion analyzed in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 WL 2005464 (Ill. May 21, 2021). In Krishna, the Illinois Supreme Court held that the Violation of Statute Exclusion did not apply to preclude coverage for a BIPA lawsuit, which alleged that a tanning salon violated BIPA by requiring its customers to scan their fingerprints without first getting their signed, written release to allow disclosure of their fingerprints to any third party. Because the insurer could not “meaningfully differentiate” between the terms in its Violation of Statute Exclusion with the one in Krishna, the court concluded this exclusion did not apply to preclude coverage.

The ERP Exclusion at issue precluded coverage for personal and advertising injuries “arising out of any . . . employment-related practice, policies, acts omissions, such as coercion, demotion, reassignment discipline, defamation, harassment, humiliation or discrimination directed at the person . . . .” In finding this exclusion precluded coverage, the court stated the exclusion “applie[d] to practices directed at individual employees and the fingerprint requirement [was] directed at all employees.” Thus, because the court viewed the insured’s requirement that its employees scan their fingerprints as an employment-related practice, the court found the exclusion applied to preclude coverage.

Although an unpublished opinion, this finding may signify other court’s agreement with the holding in Krishna and may further cut against an insurance company’s ability to rely on the Access or Disclosure Exclusion and Violation of Statute Exclusion to preclude coverage for a BIPA lawsuit. On the other hand, the finding may provide traction for insurer’s who wish to take the position that the ERP Exclusion applies to preclude coverage for a BIPA lawsuit involving an employee.

A copy of the court’s decision can be found at Am. Family Mut. Ins. Co., S.I. v. Caremel, Inc., 20 C 637, 2020 WL 8093501 (N.D. Ill. Jan. 7, 2022).

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

About the Author

Catherine Geisler is an associate in the Insurance Practice Group. She represents insurance carriers and insureds in a wide range of insurance coverage matters involving policies such as commercial general liability policies, commercial umbrella/excess policies, commercial auto policies, privacy liability policies, professional liability policies and business owners’ policies. Catherine’s work includes analyzing insurance coverage issues, assessing insurance carriers’ risks, preparing coverage opinions and position letters and handling all aspects of insurance coverage litigation in state and federal courts.

The post Northern District of Illinois Finds Employment-Related Practices Exclusion Applies to BIPA Suit appeared first on Privacy Risk Report.

On May 20, 2021, the Illinois Supreme Court delivered its opinion in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978[1] regarding whether the claims contained in a lawsuit alleging the violation of the Biometric Information Privacy Act (“BIPA”) were covered under a business owners’ liability policy.

In the underlying lawsuit, Klaudia Sekura (“Sekura”)[2] filed a class-action suit against Krishna Schaumburg Tan, Inc. (“Krishna”), a tanning salon and franchisee of L.A. Tan for violating BIPA by requiring its customers, including Sekura, to scan their fingerprints without first getting their signed, written release to allow disclosure of their fingerprints to any third party.

Krishna tendered the underlying lawsuit to its insurer, West Bend Mutual Insurance Company (“West Bend”), and requested West Bend to defend it. West Bend issued two business owners’ liability policies (“the West Bend policies”) to its insured, Krishna for two consecutive policy periods between 2014 to 2016. West Bend disclaimed coverage to Krishna arguing that it did not have a duty to defend it in the underlying lawsuit.

West Bend then filed a complaint for declaratory judgment against Krishna and Sekura asserting that it did not owe a duty to defend its insured in the underlying lawsuit. Both West Bend and Krishna filed cross-motions for summary judgment. Sekura also joined Krishna’s motion for summary judgment but sought alternative relief. Id. at ¶1. The trial court entered judgment for Krishna. West Bend then appealed the trial court’s decision, which was affirmed by the appellate court. The Illinois Supreme Court allowed West Bend’s petition for leave to appeal the appellate court’s decision, but the Court ultimately affirmed the appellate court’s decision.

The Illinois Supreme Court determined that West Bend had a duty to defend Krishna. At issue was whether the underlying complaint’s allegations fell within the West Bend policies’ coverage under the “personal injury” provision, which states in relevant part:

13. ‘Personal injury’ means injury, other than ‘bodily injury’, arising out of one or more of the following offenses:

* * *

1. Oral or written publication of material that violates a person’s right of privacy.

Id. at ¶ 8.

The Court determined that the underlying lawsuit potentially alleged: “personal injury” because Sekura alleged that she suffered “nonbodily injury” (“emotional upset, mental anguish and mental injury”) when Krishna disclosed her biometric information to a third party. Id. at ¶ 36.

The Court found that the sharing of Sekura’s fingerprints to a third party constituted a “publication.” Id. at ¶ 50. The Court noted that the term “publication” was undefined in the West Bend policies. As a result, the Court looked to the “plain, ordinary, and popular meaning, i.e., [the Court] look[ed] to its dictionary definition.” Id. at ¶ 38 (citing Founders Insurance Co. v. Munoz, 237 Ill. 2d 424, 436, 341 Ill.Dec. 485, 930 N.E.2d 999 (2010)). Based on its review of the dictionaries, treatises and the Restatement of Torts, the Court determined that it “means both the communication of information to a single party and the communication of information to the public at large.” Id. at ¶ 43.

The Court also concluded that the sharing of Sekura’s fingerprints to a third party constituted a violation of her “right of privacy.” Id. at ¶ 51. The Court noted that the term “right of privacy” was also undefined in the West Bend policies. Accordingly, the Court looked to the dictionary definition of that term and determined that the “right of privacy” includes “the right of an individual to keep his or her personal identifying information like fingerprints secret.” Id. at ¶ 46.

The Court then determined that the “violation of statutes exclusion” did not apply to bar coverage to Krishna. The exclusion states in relevant part:

This insurance does not apply to:

DISTRIBUTION OF MATERIAL IN VIOLATION OF STATUTES

‘Bodily injury’, ‘property damage’, ‘personal injury’ or ‘advertising injury’ arising directly or indirectly out of any action or omission that violates or is alleged to violate:

(1) The Telephone Consumer Protection Act (TCPA) [(47 U.S.C. § 227 (2018))], including any amendment of or addition to such law; or

(2) The CAN-SPAM Act of 2003 [(15 U.S.C. § 7701 (Supp. III 2004))], including any amendment of or addition to such law; or

(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.

Id. at ¶ 9

The Court began its analysis with the title of the exclusion, which was titled “‘Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information.’” Id. at ¶ 58. The Court also noted that the exclusion listed “statutes like the TCPA and the CAN-SPAM Act, which regulate methods of communication like telephone calls, faxes, and e-mails.” Id. at ¶ 59. Based on the title of the exclusion and the fact that BIPA does not regulate the method of communication, the Court held that the violation of statutes exclusion could not be used to bar coverage to the insured. Id. at ¶ 60.

In summary, the Illinois Supreme Court ultimately concluded that West Bend had a duty to defend its insured, Krishna, in the underlying lawsuit. It determined that (1) Sekura suffered a “nonbodily personal injury;” (2) Krishna’s sharing of Sekura’s biometric information (i.e., her fingerprints) to a third party constituted a “publication” as that term is used in the “personal injury” provision; and (3) Krishna’s sharing of Sekura’s biometric information to a third party potentially violated Sekura’s “right of privacy” as that term is used in the “personal injury” provision. Id. at ¶ 61. Moreover, the Court found that the violation of statutes exclusion contained in the West Bend policies did not apply to BIPA allegations.

[1] This decision is currently not considered a final decision. According to the Illinois Supreme Court, this opinion has not been released for publication, and thus is still subject to revision or withdrawal. Moreover, pursuant to the Illinois Supreme Court Rule 367, “a party has 21 days [(June 10, 2021)] after the filing of an opinion to request a rehearing, which, if allowed, will act to nullify the previously filed opinion.” A Caution on Court Opinions, ILLINOIS COURTS (May 24, 2021), http://www.illinoiscourts.gov/Opinions/caution.asp.

[2] In this blog, we will refer to Sekura to mean both her and the Class.

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post Illinois Supreme Court Finds “Publication” In Some BIPA Claims appeared first on Privacy Risk Report.