The Illinois Supreme Court issued a much-anticipated opinion in Tims v. Black Horse Carriers, Inc., 2023 IL 127801 on February 2, 2023. Tims settles — once and for all — the burning question of which statute of limitations applies to claims advanced under the Illinois Biometric Information Privacy Act (“BIPA”). Under the appellate opinion, Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, BIPA litigants were arguably subject to two putative class periods depending on which BIPA violations were alleged.  But that is now over. All BIPA claims are subject to a five-year statute of limitations. Period. End of Story. Except in the context of litigating the reach and contours of BIPA for purposes of liability coverage. The full impact of the definitive answer relative to the applicable limitations period will not be known until the Illinois Supreme Court answers the certified question on accrual — a decision just as anticipated as Tims was. But reading Tims as only answering the limitations question overlooks the opinion’s more subtle impact which relates to the ongoing dispute on the availability of insurance coverage.

Tims was not a coverage case. It is instead a case addressing the merits of a BIPA suit in a favorable manner to the plaintiffs’ bar. Plaintiffs will surely view Tims as another victory (for those keeping score, BIPA rulings tend to be plaintiff-friendly) and perhaps it is. That is not the point here. Tims reinforces a critical challenge to Coverage B coverage under commercial general liability policies. The useful nuggets are embedded in the discussion that serves as the premise for the court’s holding.

Briefly summarized, the Tims supreme court opinion held that a single statute of limitations applies to a statute for purposes of consistency and to avoid confusion. The court agreed that the question was whether the one-year or five-year statute applied. The court then examined sections 15(a) through (e) of BIPA to determine which limitations applied. The court’s analysis was driven by the overall intent of the legislature in enacting BIPA (protection of biometric information) coupled with the lack of a stated limitations period. This compelled the court to conclude that application of the five-year limitations period best provided the greatest protection consistent with BIPA’s stated purpose. The court made notable observations that will no doubt be invoked in coverage litigation in reaching this conclusion.

For instance, Tims confirms that sections 15(a), (b) and (e) “contain no words that could be defined as involving publication.” Tims, 2023 IL 127801 at ¶ 30. It was because of the characteristic of these claims that the one-year limitations period could never apply. Id.  The court then further agreed with the appellate court that only 15(c) and (d) “could be defined as involving publication . . .” Tims, 2023 IL 127801 at ¶ 31. Significantly, the Tims court cited the definition of “publication” in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, to make its point. Id. at ¶ 32. This is noteworthy because, while not a coverage case, Tims gives insurers a valuable argument to defeat application of Coverage B coverage.

Publication is a critical criterion of advertising injury coverage. Where there is no publication, there is no advertising injury and no duty to defend. The most prevalent claims asserted by BIPA plaintiffs are brought under sections 15(a) and 15(b). While plaintiffs may now elect to add claims under sections 15(c) and (d), the only change in the coverage landscape is that the (c) or (d) claim now reaches back five years instead of one.

To be clear, Tims does not directly or indirectly eliminate coverage for BIPA claims. The decision instead confirms what savvy coverage lawyers have been arguing since the appellate court issued Tims — the violation a BIPA plaintiff chooses to assert matters for purposes of the coverage analysis.

Insurers can and should advance arguments challenging the publication criterion and its absence from three of the five sections in BIPA. Even where a (c) or (d) claim is included (triggering a duty to defend) challenging the availability of coverage as to the 15(a), (b) and (e) claims introduces a pressure point both with respect to how a plaintiff litigates a case but also how settlement is considered, especially if the coverage issue is teed up in parallel coverage litigation which will also include the updated exclusionary language that has yet to be construed by an Illinois state court.

The Tims decision was long anticipated and finally settles a fundamental question akin to the “aggrieved” issue resolved in Rosenbach. Its impact will be determined as additional rulings construing BIPA is issued. But one impact is apparent now — the publication analysis in Krishna as it relates to BIPA will have to be revisited.

For more information about this article, contact Rosa Tumialán at rtumialan@tresslerllp.com.

About the Author

Rosa M. Tumialán is a partner in the firm’s Chicago office. Rosa is a member of the firm’s Insurance Practice Group and focuses her practice on insurance coverage and bad faith litigation. She is an accomplished defense attorney with nearly twenty years of insurance coverage experience. Rosa’s insurer-related services include coverage opinion analysis and representing insurers in complex coverage disputes relating to personal and commercial lines, third party claims, surplus lines as well as claims handling practices and extracontractual liability. In addition to her reputation as an experienced insurance litigator, Rosa is an equally well-known class action defense lawyer with years of experience in defending class actions filed under the Telephone Consumer Protection Act (TCPA), Illinois Biometric Privacy Act (BIPA) as well as other consumer privacy statutes in both state and federal courts. She is lauded for her ability to develop and employ unique and aggressive strategies for her clients in these evolving areas. She is routinely sought out by companies seeking TCPA and BIPA compliance analysis or those who face TCPA and BIPA liability. Rosa can be reached at rtumialan@tresslerllp.com.

The post The Statute of Limitations Debate is Over But That’s Not All Tims Does appeared first on Privacy Risk Report.

On March 8, 2022, the Northern District of Illinois issued an opinion in State Auto. Mut. Insur. Co. v. Tony’s Finer Foods Enter., Inc., et al., 20-CV-6199, 2022 WL 683688 (N.D. Ill. Mar. 8, 2022) again addressing whether insurance coverage existed for an employer with respect to its employee’s claims of violations of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq. The Northern District of Illinois previously addressed similar issues but rendered differing opinions in Am. Family Mut. Ins. Co., S.I. v. Caremel, Inc., 20 C 637, 2020 WL 8093501 (N.D. Ill. Jan. 7, 2022) and Citizens Insur. Co of Am., & Hanover Insur. Co. v. Thermoflex Waukegan, LLC, 20-CV-05980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022).

In Tony’s, a former employee filed a class action against her former employer in Illinois state court in 2018, alleging that they collected her fingerprints in violation of BIPA. Her fingerprints were taken when she was hired and were subsequently used to clock in and out of work. Her employer notified their broker of the BIPA class action, but their broker did not immediately notify the insurer until approximately a year later. Relying on the Employment-Related Practices (“ERP”) and late notice, the insurer denied coverage and filed a declaratory action in the Northern District of Illinois seeking confirmation that it had no duty to defend its insured for the BIPA class action.

The ERP Exclusion at issue precluded coverage for “personal and advertising injury to (1) A person arising out of any: (a) Refusal to employ that person; (b) Termination of that person’s employment; or (c) Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed at that person; . . . .” In interpreting the ERP Exclusion, the court held that “[w]hen there is a list, the individual components of the list should be read together. That is, the collection of words helps to inform the meaning of any individual word.” Here, the court held that the first two subparts dealt with the “comings and goings of employees.” Based on the context of those two subparts, the court concluded that the third subpart only applies to adverse employment actions and not just any claims that happen at work. The court reasoned that “[t]he structure of the language suggests that it requires a change in employment status or other negative treatment directed at the employee.” The court further explains that the phrase “such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed at that person” suggests “a change in an employee’s standing, or targeted mistreatment of a specific person – that is, conduct “directed at that person.” Based on this interpretation, the court concluded that using an employee’s fingerprint to clock in and out of work was an “awkward fit” under this provision. Thus, the court concluded that the ERP Exclusion did not apply to preclude coverage.

With respect to the insurer’s second argument, the court held that whether the insured provided timely notice to its insurer is a question of fact for the jury to decide. The court noted that the insurer did not receive notice of the BIPA class action until approximately a year later; however, the insured argued that the insurer did not suffer any prejudice because the underlying class action has stayed for most of that time. The insurer also argued that the insured was sophisticated enough to act promptly to notify its insurer. The insured on the other hand argued that it acted with diligence because it acted promptly to reach out to its broker when it learned of the Illinois Supreme Court’s ruling in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978. The court concluded that a jury needed to decide whether the insured provided late notice.

Unlike Citizens, Tony’s did not state that it disagreed with the rationale in Am. Family regarding the applicability of the ERP Exclusion in a similar BIPA lawsuit. Rather, it only noted that Am. Family and Citizens came to different conclusions regarding the applicability of the ERP Exclusion in a BIPA lawsuit. However, given the ruling in Tony’s, an insurer may not be able to rely on the ERP Exclusion to preclude coverage for a BIPA lawsuit filed by an employee.

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post Split Emerging Within Northern District of Illinois Concerning Application of ERP Exclusion in BIPA Lawsuits appeared first on Privacy Risk Report.

On March 1, 2022, the Northern District of Illinois issued an opinion in Citizens Insur. Co of Am., & Hanover Insur. Co. v. Thermoflex Waukegan, LLC, 20-CV-05980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022) addressing whether insurance coverage existed for an employer with respect to its employee’s claims of violations of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq.

In Thermoflex, an employee filed a class-action lawsuit against its employer in Illinois state court, alleging that his employer collected its employees’ handprint data in violation of BIPA. The employer collected the handprint data for purposes of authentication and timekeeping. The employer’s insurers denied coverage for the BIPA class action, relying on the Employment-Related Practices (“ERP”), Recording and Distribution and Access or Disclosure Exclusions. The insurers filed declaratory action in the Northern District of Illinois seeking confirmation that it had no duty to defend its insured for the BIPA class action.

The ERP Exclusion at issue precluded coverage for personal and advertising injuries that extend to “[e]mployment-related practices, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution directed at that person.” The insurers argued no coverage existed under the ERP Exclusion and relied on a recent Northern District of Illinois opinion in Am. Family Mut. Ins. Co., S.I. v. Caremel, Inc., 20 C 637, 2020 WL 8093501 (N.D. Ill. Jan. 7, 2022). In Am. Family, which involved the collection of fingerprints, the court found ERP Exclusion applied, noting the BIPA violation was “of the same nature” as practices referred to in ERP exclusion because like BIPA, “[e]ach of ‘coercion, demotion, evaluation, reassignment, discipline, defamation, harassment [and] humiliation,’ reflect a practice that can cause an individual harm to an employee.”

However, the Thermoflex court disagreed with the Am. Family decision, explaining that “reading the exclusions as barring any employment-related practices that ‘can’ cause harm to an employee would potentially preclude coverage for any claim against an employer.” The court held that such a reading is contrary to the rule that policy exclusions must be narrowly construed. The court found it “unclear” whether the ERP Exclusion at issue should be viewed in the same way as in Am. Family, arguably differentiating between “fingerprint” and “handprint” collection, and ultimately held that the insurers could not rely on this exclusion to absolve their duty to defend.

The Thermoflex court similarly rejected application of the Recording and Distribution Exclusion as a basis to deny coverage. The Recording and Distribution Exclusion at issue precluded coverage for personal injuries arising directly or indirectly out of any action or omission that violates or is alleged to violate: (1) Telephone Consumer Protection Act (“TCPA”), (2) CAN-SPAM Act of 2003, (3) Fair Credit Reporting Act (“FCRA”), or (4) “any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” The court noted that the Illinois Supreme Court in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 WL 2005464 (Ill. May 21, 2021) already analyzed a similar exclusion. In that case, the Illinois Supreme Court explained that this exclusion did not apply to preclude coverage for a BIPA claim because BIPA is not the “same kind” as the TCPA and CAN-SPAM Act, and it also does not regulate methods of communications like the other enumerated statutes. The district court held that it was “[a]t best” ambiguous whether BIPA was sufficiently similar to those other statutes, and “at worst” BIPA is a different kind of statute from the other statutes. Because the court viewed this exclusion ambiguous, it held that the policies must be construed in favor of finding coverage for the insured.

The court also rejected the application of the Access or Disclosure Exclusion.  The Access or Disclosure Exclusion at issue precluded “‘[p]ersonal and advertising injury’ arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” The court held that handprints “do not share the attributes . . . of privacy or sensitivity.” BIPA expressly distinguishes between “biometric identifiers” and “confidential and sensitive information.” The court noted that “none of the examples of biometric identifiers listed in the statutory definition are included in the definition of confidential and sensitive information.” The statutory text also makes clear that BIPA regards “[b]iometrics [as] unlike other unique identifiers that are used to access finances or other sensitive information.” Thus, the court held that it was at best unclear whether BIPA treats handprints as “confidential and sensitive information.” For this reason, the court held that the exclusion did not apply.

Although an unpublished opinion, this finding is significant in that it shows a departure from an earlier ruling concerning the ERP Exclusion. The court did not agree with the rationale in Am. Family regarding the applicability of the ERP Exclusion in a similar BIPA lawsuit. However, it did not go as far as to reject Am. Family. The court simply did not believe the ERP Exclusion at issue should be viewed in the same way as in Am. Family because it involved “handprints” and not “fingerprints.”  The decision further cuts against an insurance company’s ability to rely on the Access or Disclosure Exclusion and Recording and Distribution Exclusion to preclude coverage for a BIPA lawsuit (Am. Family also held that these exclusions did not apply to preclude coverage).

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post Northern District Injects Confusion as to Whether Insurers Can Rely on the Employment-Related Practices Exclusion to Preclude Coverage for an Employee BIPA Suit appeared first on Privacy Risk Report.

In McDonald v. Symphony Bronzeville Park, LLC, 2022 IL 126511, the Illinois Supreme Court issued an opinion finding the exclusive remedy provisions of the Illinois Workers’ Compensation Act (“Compensation Act”) 820 ILCS 305/1 et seq. does not bar an employee’s claim for statutory damages under the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq.

An employee filed a class-action lawsuit against her employer for violating BIPA. Her employer required its employees to use a biometric timekeeping system in order to scan an employee’s fingerprint for purposes of authenticating an employee and tracking their time at work. The employee alleged that her employer never obtained her written consent to store her biometric information or informed her how the information will be stored.

820 ILCS 305/5 and 11 of the Compensation Act are the exclusive remedy provisions by which an employee may seek recovery against their employer for work-related injuries. However, an employee can escape the exclusivity provisions if the employee can show that the injury: (1) was not accidental; (2) did not arise from their employment; (3) did not occur during the course of employment; or (4) was not compensable under the Compensation Act.  At issue was the fourth exception.

The Court held that whether the exclusivity provision applied depends on the type of injury the employee sustained. The Court noted the purpose of the Compensation Act is to provide financial protection for injured workers until they can return to work, whereas the purpose of BIPA is to protect a person’s biometric information. In comparing the two statutes’ purposes, the Court found that “[t]he personal and societal injuries caused by violating the Privacy Act’s prophylactic requirements are different in nature and scope from the physical and psychological work injuries that are compensable under the Compensation Act.” Accordingly, the Court concluded that the BIPA violation did not categorically fall under the purview of the Compensation Act and therefore is not compensable under the Compensation Act. For this reason, the Court held that the employee may pursue her BIPA claim against her employer in the circuit court rather than through the Workers’ Compensation Commission.

Although not an insurance coverage case, this finding may have important implications for insurers regarding coverage for BIPA violations. Here, the Illinois Supreme Court’s held that an employee’s BIPA claim does not fall within the purview of the Compensation Act. However, this does not necessarily mean that an insurer will not be able to disclaim coverage under the Employment Related Practices Exclusion. As we discussed in our previous article regarding the finding from the Northern District of Illinois that the Employment-Related Practices Exclusion applies to BIPA claims.

If you want to read more about BIPA, please check out the below articles:

• Illinois Leaves Its “Thumbprint” On American Privacy Law As The Illinois Supreme Court Finds An Individual Can Bring An Action Under the Biometric Act Without Being Involved In A Breach

• Illinois’ Biometric Information Protection Act Gets More Tangled With Employment Law

• Seventh Circuit Court Of Appeals Reopens Doors to Federal Courts For BIPA Plaintiffs

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post The Illinois Workers’ Compensation Act Does Not Bar An Employee’s Claim Under BIPA appeared first on Privacy Risk Report.

On January 7, 2022, the Northern District issued an opinion regarding whether the claims contained in a lawsuit alleging the violation of the Illinois Biometric Information Privacy Act (“BIPA”), 40 ILCS 14/1 et seq., were covered under a Businessowners’ Liability Policy. An employee of the insured filed a class action complaint in Kankakee County, Illinois, against the insured for violating BIPA. The insured required its employees to use a biometric time clock system to record their time. This system required the insured’s employees to scan their fingerprints to clock in and clock out. This information was then disclosed to the insured’s time-keeping vendor. It is alleged the insured did not obtain the employee’s consent to disclose the biometric information to its vendor in a violation of BIPA.

The insurer denied coverage under its policy, relying on three exclusions: (1) Access or Disclosure Exclusion; (2) Violation of Statute Exclusion; and (3) ERP Exclusion. The insurer then filed a complaint for declaratory judgment against its insured asserting that it had no duty to defend its insured for the BIPA lawsuit.

The Access or Disclosure Exclusion at issue precluded coverage “for personal and advertising injury . . . arising out of any access to or disclosure of any person’s . . . confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” In rejecting its application, the court determined that to include fingerprints as “health information” would “stretch the definition of health information to include a physical characteristic that has nothing to do with the state of health of an individual.” For this reason, the court held that the Access or Disclosure Exclusion did not apply to preclude coverage.

The Violation of Statute Exclusion at issue precluded coverage for “access or disclosure of confidential or personal information and data related to liability.” The court noted that this exclusion was nearly identical to the exclusion analyzed in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 WL 2005464 (Ill. May 21, 2021). In Krishna, the Illinois Supreme Court held that the Violation of Statute Exclusion did not apply to preclude coverage for a BIPA lawsuit, which alleged that a tanning salon violated BIPA by requiring its customers to scan their fingerprints without first getting their signed, written release to allow disclosure of their fingerprints to any third party. Because the insurer could not “meaningfully differentiate” between the terms in its Violation of Statute Exclusion with the one in Krishna, the court concluded this exclusion did not apply to preclude coverage.

The ERP Exclusion at issue precluded coverage for personal and advertising injuries “arising out of any . . . employment-related practice, policies, acts omissions, such as coercion, demotion, reassignment discipline, defamation, harassment, humiliation or discrimination directed at the person . . . .” In finding this exclusion precluded coverage, the court stated the exclusion “applie[d] to practices directed at individual employees and the fingerprint requirement [was] directed at all employees.” Thus, because the court viewed the insured’s requirement that its employees scan their fingerprints as an employment-related practice, the court found the exclusion applied to preclude coverage.

Although an unpublished opinion, this finding may signify other court’s agreement with the holding in Krishna and may further cut against an insurance company’s ability to rely on the Access or Disclosure Exclusion and Violation of Statute Exclusion to preclude coverage for a BIPA lawsuit. On the other hand, the finding may provide traction for insurer’s who wish to take the position that the ERP Exclusion applies to preclude coverage for a BIPA lawsuit involving an employee.

A copy of the court’s decision can be found at Am. Family Mut. Ins. Co., S.I. v. Caremel, Inc., 20 C 637, 2020 WL 8093501 (N.D. Ill. Jan. 7, 2022).

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

About the Author

Catherine Geisler is an associate in the Insurance Practice Group. She represents insurance carriers and insureds in a wide range of insurance coverage matters involving policies such as commercial general liability policies, commercial umbrella/excess policies, commercial auto policies, privacy liability policies, professional liability policies and business owners’ policies. Catherine’s work includes analyzing insurance coverage issues, assessing insurance carriers’ risks, preparing coverage opinions and position letters and handling all aspects of insurance coverage litigation in state and federal courts.

The post Northern District of Illinois Finds Employment-Related Practices Exclusion Applies to BIPA Suit appeared first on Privacy Risk Report.

“Publication” has always been an important consideration under the Personal Injury prong of commercial general liability policies (“CGL”). Likewise, questions related to “publication” are growing in importance in litigation involving Illinois’ Biometric Information Privacy Act (“BIPA”). For example, Illinois courts have previously found that BIPA claims involving “publication” of biometric information to a third party may trigger coverage under the “personal injury” definition of CGL policies. And now, a recent Illinois Court of Appeals decision has found BIPA violations involving “publication” are subject to a one-year statute of limitations. This recent development may beg the question as to how multiple CGL policies can be triggered by BIPA publication claims when they are subject to a one-year statute of limitations.

On September 17, 2021, the Illinois Court of Appeals provided much-needed guidance on the proper statute of limitations for alleged violations of BIPA. In Tims v. Black Horse Carriers, Inc.,1-20-0563 (First Cir. Sept. 17, 2021), the Illinois Court of Appeals for the First District addressed the defendant’s argument that BIPA was subject to a one-year limitations period under section 13-201 while plaintiffs claimed BIPA was subject to a five-year statute of limitations under 13-205.

The Illinois legislature did not provide a specific statute of limitations for BIPA claims. Litigants have primarily argued two statute of limitations were applicable. First, 735 ILCS 5/13-201 entitled “Defamation – Privacy” provides “[a]ctions for slander, libel or for publication of matter violating the right of privacy, shall be commenced within one year next after the cause of action accrued.” Second, 735 ILCS 5/13-205) entitled “Five-year limitation” provides a catch-all for all “actions on unwritten contracts, expressed or implied, or on awards of arbitration, or to recover damages for an injury done to property, real or personal or to recover the possession of personal property or damages for the detention or conversion thereof, and all civil actions not otherwise provided for, shall be commenced within 5 years next after the cause of action accrued.”

The Tims court did not apply a single statute of limitations uniformly to all the violation subparts of BIPA. Rather, in determining which statute of limitations individually applies to the various violation subparts of BIPA, the Court of Appeal’s determination was driven by whether the claimed BIPA violation subpart involves publication:

A private party would violate section 15(a) by failing to develop a written policy establishing a retention schedule and destruction guidelines, section 15(b) by collecting or obtaining biometric data without written notice and release, or section 15(e) by not taking reasonable care in storing, transmitting and protecting biometric data. Id. at ¶ 31 (citing 740 ILCS 14/15 (West 2018)) (emphasis added).

The Tims court further noted “[a] plaintiff could therefore bring an action under the Act alleging violations of section 15(a), (b), and/or (e) without having to allege or prove that the defendant private entity published or disclosed any biometric data to any person or entity beyond or outside itself. Stated another way, an action under section 15(a), (b), or (e) of the Act is not an action ‘for publication of matter violating the right of privacy.’” Id. at ¶ 31 (quoting 735 ILCS 5/13-201 (West 2018)) (emphasis added).

In summary, the Court of Appeals found the following statute of limitations apply to BIPA claims:

Of course, insurance coverage was not at issue in the Tims decision. It will be interesting to see how this decision, which limits the BIPA claims involving “publication,” impacts insurance coverage. Of course, the Illinois Supreme Court has found coverage for BIPA claims under the “personal injury” definition of CGL policies because of publication to third parties. See, West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (May 20, 2021). Therefore, insurers may be able to argue only one CGL policy has been potentially triggered when the BIPA publication claims are subject to a one-year statute of limitation.

This decision also misses another important aspect to determining insurance coverage for BIPA claims—accrual of the claim. While the Tims decision will offer some clarity as to the important issue of the proper statute of limitations for these claims, it left one rock unturned. Importantly, the Tims court did not address when a biometric claim accrues. Therefore, it is still unclear whether repeated conduct gives rise to a single BIPA violation or if each new violation gives rise to a new BIPA claim. While this issue causes problems on the defense side of BIPA cases, this issue is equally important when analyzing insurance coverage for BIPA claims as violations potentially span a number of policy periods.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post Did An Illinois Court Intend To Limit Coverage For BIPA Claims Under CGL Policies To One Year? appeared first on Privacy Risk Report.

In a decision last week entitled Landry’s, Inc. v. The Ins. Co. Of The State Of Pennsylvania, No. 19-20430, 2021 WL 3075937 (5^th Circ., July 21, 2021), the Fifth Circuit Court of Appeals found coverage under a CGL Policy for a traditional data breach. More particularly, the Fifth Circuit held the insurer has a duty to defend Landry’s in the litigation that resulted from a breach incident involving credit card information. This case marks a departure from the general premise that there is no coverage to be found under CGL policies for liability resulting from “classic” data breach incidents.

The Facts Giving Rise to the Breach, the Breach Litigation and the Insurance Declaratory Judgment Action

Landry’s operated a number of retail establishments, including restaurants, hotels and casinos and uses Paymentech, LLC to process credit card payments at its retail properties. The facts indicate this process involves Paymentech, an intermediary between Landry’s and its bank, obtaining authorization from Visa or MasterCard to complete the sale prior to the funds being sent to JPMorgan Chase.

At some point, Paymentech discovered a data breach occurred at a number of Landry’s properties caused by an unauthorized installation of a program on devices used to process credit card transactions. “Over approximately a year and a half, the program retrieved personal information from millions of customers’ credit cards. And at least some of that credit card information was used to make unauthorized charges.”  Id. at *1. This resulted in millions of dollars in unauthorized charges to Landry’s customers’ cards.

Landry’s and Paymentech had a number of contracts that controlled the processing of credit cards from the point where Landry’s customers presented their cards until the point when the funds were deposited with JPMorgan Chase. Ultimately, Paymentech filed the underlying lawsuit where it sought over $20 million in damages for amounts assessed by Visa and MasterCard related to the fraudulent credit card transactions.

Landry’s filed a declaratory judgment against its insurer The Insurance Company of the State of Pennsylvania (“ICSP) seeking a declaration that ICSP had a duty to defend Landry’s in the underlying breach litigation for “publication” under the advertising and privacy injury clause of the policy.

In particular, Landry’s argued ICSP had a duty to defend under the Personal Injury clause arguing the allegations in the underlying litigation sought damages “arising out of … [the] [o]ral or written publication … of material that violates a person’s right of privacy.”  Additionally, to trigger coverage, Landry’s would need to show Paymentech’s alleged damages are “arising out of” the “violat[ion] [of] a person’s right of privacy.”

The District Court dismissed all the claims against ICSP holding “the Paymentech complaint did not allege a ‘publication’ because it asserted only that “[a] third party hacked into [the] credit card processing system and stole customers’ credit card information.” Id. at *2. Specifically, the District Court found these allegations did not constitute a “violat[ion] [of] a person’s right of privacy” because Paymentech involves the payment processor’s contract claims, not the cardholders’ privacy claims.” Id.

The Fifth Circuit’s Reversal of the District Court’s Finding of No Coverage

In overturning the District Court, the Fifth Circuit first found the allegations in the Paymentech constituted a “publication” as defined under the CGL policy issued to Landry’s based on the following reasoning:

The Paymentech complaint plainly alleges that Landry’s published its customers’ credit card information—that is, exposed it to view. In fact, the Paymentech complaint alleges two different types of “publication.” The complaint first alleges that Landry’s published customers’ credit card data to hackers. Specifically, as the credit-card “data was being routed through affected systems,” Landry’s allegedly exposed that data—including each “cardholder name, card number, expiration date and internal verification code.” Second, the Paymentech complaint alleges that hackers published the credit card data by using it to make fraudulent purchases. Both disclosures “expos[ed] or present[ed] [the credit-card information] to view.” Publish, WEBSTER’S SECOND, at 2005. And either one standing alone would constitute the sort of “publication” required by the Policy.  Id. at 4.

Next, the Fifth Circuit analyzed whether the allegations in Paymentech’s complaint sought damages for “an injury ‘arising out of…the violation of a person’s right of privacy.” The Fifth Circuit found this requirement was easily met since “it’s undisputed that a person has a ‘right of privacy’ in his or her credit card data.”  Id. at 5.  The Fifth Circuit further held “[i]t’s also undisputed that hackers’ theft of credit-card data and use of that data to make fraudulent purchases constitute ‘violations’ of consumers’ privacy rights.”  Id.

The Fifth Circuit’s decision is interesting since it simply glazes over the fact that Paymentech was suing Landry’s for breaching its contracts. Of course, breach of contract claims typically do not trigger coverage under a CGL policy. Also, the Fifth Circuit quickly moved past the fact that Paymentech did not suffer damages from the “publication” with the following reasoning dismissing real coverage questions as “salami-slicing distinctions:”

ICSOP urges us not to follow the plain text of the Policy and instead to alter it. In ICSOP’s view, the Policy covers only tort damages “arising out of … the violation of a person’s right of privacy.” Thus, ICSOP suggests, it might defend Landry’s if it were sued in tort by the individual customers who had their credit-card data hacked and fraudulently used. But ICSOP thinks it bears no obligation to defend Landry’s in a breach-of-contract action brought by Paymentech. Of course, the Policy contains none of these salami-slicing distinctions.

The Fifth Circuit’s decision in Landry makes more sense from a coverage standpoint if the underlying litigation was brought by the individuals that may have been damaged from the breach of their credit cards. This decision is also missing an analysis of exclusionary language that is become more common in CGL policies for breach/privacy/cyber incidents and the litigation arising from such incidents.  Nevertheless, insurers should expect to see insureds use the reasoning in this decision to argue CGL policies provide coverage for cyber and privacy incidents.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post Fifth Circuit Rejects Insurance Carrier’s Arguments As “Salami-Slicing Distinctions” In Finding Coverage For Breach Of Contract Claims Related To Data Breach appeared first on Privacy Risk Report.

On May 20, 2021, the Illinois Supreme Court delivered its opinion in W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978[1] regarding whether the claims contained in a lawsuit alleging the violation of the Biometric Information Privacy Act (“BIPA”) were covered under a business owners’ liability policy.

In the underlying lawsuit, Klaudia Sekura (“Sekura”)[2] filed a class-action suit against Krishna Schaumburg Tan, Inc. (“Krishna”), a tanning salon and franchisee of L.A. Tan for violating BIPA by requiring its customers, including Sekura, to scan their fingerprints without first getting their signed, written release to allow disclosure of their fingerprints to any third party.

Krishna tendered the underlying lawsuit to its insurer, West Bend Mutual Insurance Company (“West Bend”), and requested West Bend to defend it. West Bend issued two business owners’ liability policies (“the West Bend policies”) to its insured, Krishna for two consecutive policy periods between 2014 to 2016. West Bend disclaimed coverage to Krishna arguing that it did not have a duty to defend it in the underlying lawsuit.

West Bend then filed a complaint for declaratory judgment against Krishna and Sekura asserting that it did not owe a duty to defend its insured in the underlying lawsuit. Both West Bend and Krishna filed cross-motions for summary judgment. Sekura also joined Krishna’s motion for summary judgment but sought alternative relief. Id. at ¶1. The trial court entered judgment for Krishna. West Bend then appealed the trial court’s decision, which was affirmed by the appellate court. The Illinois Supreme Court allowed West Bend’s petition for leave to appeal the appellate court’s decision, but the Court ultimately affirmed the appellate court’s decision.

The Illinois Supreme Court determined that West Bend had a duty to defend Krishna. At issue was whether the underlying complaint’s allegations fell within the West Bend policies’ coverage under the “personal injury” provision, which states in relevant part:

13. ‘Personal injury’ means injury, other than ‘bodily injury’, arising out of one or more of the following offenses:

* * *

1. Oral or written publication of material that violates a person’s right of privacy.

Id. at ¶ 8.

The Court determined that the underlying lawsuit potentially alleged: “personal injury” because Sekura alleged that she suffered “nonbodily injury” (“emotional upset, mental anguish and mental injury”) when Krishna disclosed her biometric information to a third party. Id. at ¶ 36.

The Court found that the sharing of Sekura’s fingerprints to a third party constituted a “publication.” Id. at ¶ 50. The Court noted that the term “publication” was undefined in the West Bend policies. As a result, the Court looked to the “plain, ordinary, and popular meaning, i.e., [the Court] look[ed] to its dictionary definition.” Id. at ¶ 38 (citing Founders Insurance Co. v. Munoz, 237 Ill. 2d 424, 436, 341 Ill.Dec. 485, 930 N.E.2d 999 (2010)). Based on its review of the dictionaries, treatises and the Restatement of Torts, the Court determined that it “means both the communication of information to a single party and the communication of information to the public at large.” Id. at ¶ 43.

The Court also concluded that the sharing of Sekura’s fingerprints to a third party constituted a violation of her “right of privacy.” Id. at ¶ 51. The Court noted that the term “right of privacy” was also undefined in the West Bend policies. Accordingly, the Court looked to the dictionary definition of that term and determined that the “right of privacy” includes “the right of an individual to keep his or her personal identifying information like fingerprints secret.” Id. at ¶ 46.

The Court then determined that the “violation of statutes exclusion” did not apply to bar coverage to Krishna. The exclusion states in relevant part:

This insurance does not apply to:

DISTRIBUTION OF MATERIAL IN VIOLATION OF STATUTES

‘Bodily injury’, ‘property damage’, ‘personal injury’ or ‘advertising injury’ arising directly or indirectly out of any action or omission that violates or is alleged to violate:

(1) The Telephone Consumer Protection Act (TCPA) [(47 U.S.C. § 227 (2018))], including any amendment of or addition to such law; or

(2) The CAN-SPAM Act of 2003 [(15 U.S.C. § 7701 (Supp. III 2004))], including any amendment of or addition to such law; or

(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.

Id. at ¶ 9

The Court began its analysis with the title of the exclusion, which was titled “‘Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information.’” Id. at ¶ 58. The Court also noted that the exclusion listed “statutes like the TCPA and the CAN-SPAM Act, which regulate methods of communication like telephone calls, faxes, and e-mails.” Id. at ¶ 59. Based on the title of the exclusion and the fact that BIPA does not regulate the method of communication, the Court held that the violation of statutes exclusion could not be used to bar coverage to the insured. Id. at ¶ 60.

In summary, the Illinois Supreme Court ultimately concluded that West Bend had a duty to defend its insured, Krishna, in the underlying lawsuit. It determined that (1) Sekura suffered a “nonbodily personal injury;” (2) Krishna’s sharing of Sekura’s biometric information (i.e., her fingerprints) to a third party constituted a “publication” as that term is used in the “personal injury” provision; and (3) Krishna’s sharing of Sekura’s biometric information to a third party potentially violated Sekura’s “right of privacy” as that term is used in the “personal injury” provision. Id. at ¶ 61. Moreover, the Court found that the violation of statutes exclusion contained in the West Bend policies did not apply to BIPA allegations.

[1] This decision is currently not considered a final decision. According to the Illinois Supreme Court, this opinion has not been released for publication, and thus is still subject to revision or withdrawal. Moreover, pursuant to the Illinois Supreme Court Rule 367, “a party has 21 days [(June 10, 2021)] after the filing of an opinion to request a rehearing, which, if allowed, will act to nullify the previously filed opinion.” A Caution on Court Opinions, ILLINOIS COURTS (May 24, 2021), http://www.illinoiscourts.gov/Opinions/caution.asp.

[2] In this blog, we will refer to Sekura to mean both her and the Class.

For more information about this article, contact Catherine Geisler at cgeisler@tresslerllp.com.

The post Illinois Supreme Court Finds “Publication” In Some BIPA Claims appeared first on Privacy Risk Report.

The Indiana Supreme Court became one of the first state high courts to weigh in and issue a decision on whether crime insurance provides coverage for ransomware attacks. The trial court’s ruling in favor of Continental Western Insurance Co.’s motion for summary judgment upheld the denial of G&G Oil Co.’s bid for coverage. The Supreme Court remanded the case because further fact-finding was necessary to uncover the “fraudulent” nature of the hacker’s actions. It was important to determine how the hacking was conducted. Therefore, until this information is uncovered, neither party was entitled to summary judgment.

The case arose out of G&G’s purchase of commercial insurance. The policy contained various coverages, including “Commercial Crime Coverage.” There was a specific provision that provided coverage for “Computer Fraud.” Within the policy period, G&G discovered it was locked out of its computer systems. A ransomware attack, a “malicious computer code that renders the victim’s computer useless by blocking access to the programs and data” had halted G&G’s operations. In conjunction with the FBI, G&G contacted the hackers to negotiate a price to release the server’s blockages. G&G paid the requested ransom with four bitcoins, valued at approximately $35,000.

When G&G submitted the claim to Continental, coverage was denied on the basis that hacking was excluded pursuant to the “Agribusiness Property and Incomes Coverages,” which specifically disclaimed computer hacking and viruses. Additionally, Continental believed the Bitcoin was voluntarily paid to the computer hacker, which meant the Policy’s Commercial Crime provision would not be utilized. G&G filed a complaint seeking judicial enforcement of the Commercial Crime Provision. Continental filed a cross-motion for summary judgment.

The Supreme Court found that while these facts may give rise to fraud, there were still outlying questions. For instance, hacking can occur without fraud, but rather an inadequate security system. Therefore, until additional facts are provided, allegations of hacking were not enough to trigger coverage.

Additionally, the court deemed the Policy phrase, “fraudulent cause transfer” to be ambiguous. “Fraud” can range from a material misrepresentation invoking reliance to an “intentional perversion of truth.” Courts have also discussed the term “fraud” and have found it is generic and is often used in diverse ways. Therefore, the denial of coverage is likely unfounded as the Policy terms and provisions do not provide a fair basis.

This case is addressing this new intersection between computer fraud coverage, hacking and crime. To date, courts have had limited experience addressing each of these issues in the context of crime insurance. The evolving digital environment will likely introduce new issues that can give rise to coverage and expand existing scopes of coverage.

For more information about this article, contact Samantha Rothman at srothman@tresslerllp.com.

The post Hack Attack: Indiana Supreme Court Examines Ransomware Coverage  appeared first on Privacy Risk Report.

There is no question that the Illinois Biometric Information Protection Act of 2008 (“BIPA”) has given rise to a number of unique questions under both privacy law and insurance law. First, many data collectors caught in the crosshairs of BIPA are surprised to learn this law has been in effect since 2008. Further, a substantial amount of the technology that now creates BIPA issues was not invented or, at least, was not publicly available in 2008. It is unclear if the Illinois legislature envisioned the significant class-action litigation that has sprouted from alleged BIPA violations. Further, BIPA has brought even more complex questions concerning insurance coverage to the surface. This law is constantly in flux and last week both the Illinois legislature and the Illinois Supreme Court faced the opportunity to bring BIPA more into balance.

• The Illinois Legislature Has the Opportunity to Limit the Influence of BIPA Under Privacy Law 

On March 10, 2021, the Illinois legislature took the initial steps necessary to reign in BIPA. An Illinois state House judiciary committed advanced House Bill 559 last week which would significantly modify BIPA to not stack the cards against Illinois’ small and medium-sized businesses. House Bill 559 can be found here.

The Amendment, as proposed, would modify the phrase “written release” to “written consent.” This revision would have a dramatic impact on BIPA to the extent that an “aggrieved person” must provide a private entity written notice of the purported violations. The aggrieved person will have a cause of action under BIPA if the private entity fails to cure the purported violation within 30 days of receiving notice and sends the aggrieved person a written statement that the violation has been cured.  Importantly, the aggrieved person does not have a cause of action against the private entity if the alleged violation was cured within 30 days of notice.

It is hard to believe that the Illinois legislature intended BIPA to give rise to the significant BIPA class-action lawsuits that we see today. While it is unclear if this amendment will be adopted, it is clear that BIPA must be modified to reflect the technology in use today versus the technology from 2008. For example, in 2008, the legislature could not have possibly envisioned that small and medium-sized businesses would have fingerprint/thumbprint scanning technology available. Today, businesses in Illinois do not take full advantage of this technology out of fear of being targeted in a class-action lawsuit.

• The Illinois Supreme Court Has the Opportunity to Limit the Influence of BIPA on Insurance Law 

Also, on March 10, 2021, the Illinois Supreme Court heard arguments in West Bend Mut. Ins. Co., Appellant v. Krishna Schaumburg Tan, Inc., et al., Appellees, Case No. 12598, which is being watched as both an important privacy and insurance case.  The central issue in Krishna is whether a policyholder’s alleged disclosure of information to a single third party was enough to trigger its duty to defend under a general liability policy. All briefs submitted in this case and updates can be found on the Illinois Supreme Court’s website.

The insurer is requesting the Illinois Supreme Court reverse the decision of the Illinois Court of Appeals holding the disclosure of fingerprint data to a single vendor was “publication” and, therefore, triggered coverage under Coverage B for Advertising and Personal Injury.  Specifically, in its brief submitted to the Supreme Court, the insurer took the position that the underlying complaint about BIPA violations did not have allegations coming within the “Personal Injury” coverage for the publication of material that violates a person’s right of privacy. The insurer’s brief taking the position that there must be public disclosure of biometric information can be found here.

On the other hand, the policyholder in Krishna requested the Illinois Supreme Court affirm the Illinois Appellate Court’s decision.   In its brief submitted to the Supreme Court, the policyholder argues “[t]he ‘personal injury’ coverage of the West Bend policies applies to claims—such as Sekura’s—which involve the ‘oral or written publication of material that violates a person’s right of privacy’. Indeed, allegations that Krishna violated BIPA by disclosing Sekura’s fingerprint data to an out-of-state third-party vendor fall squarely within this coverage.” The policyholder’s brief can be found here.

Similar to Illinois businesses, insurers have found BIPA created unintended consequences.  Even though insurers have taken steps to provide insurance policies that provide coverage for BIPA violations, Illinois courts still try to contort CGL policies to cover BIPA claims. The Illinois Supreme Court now has the opportunity to provide guidance on whether BIPA claims can trigger coverage under CGL policies.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post The Illinois Legislature and the Illinois Supreme Court Take Steps to Bring Balance to BIPA appeared first on Privacy Risk Report.