“Publication” has always been an important consideration under the Personal Injury prong of commercial general liability policies (“CGL”). Likewise, questions related to “publication” are growing in importance in litigation involving Illinois’ Biometric Information Privacy Act (“BIPA”). For example, Illinois courts have previously found that BIPA claims involving “publication” of biometric information to a third party may trigger coverage under the “personal injury” definition of CGL policies. And now, a recent Illinois Court of Appeals decision has found BIPA violations involving “publication” are subject to a one-year statute of limitations. This recent development may beg the question as to how multiple CGL policies can be triggered by BIPA publication claims when they are subject to a one-year statute of limitations.

On September 17, 2021, the Illinois Court of Appeals provided much-needed guidance on the proper statute of limitations for alleged violations of BIPA. In Tims v. Black Horse Carriers, Inc.,1-20-0563 (First Cir. Sept. 17, 2021), the Illinois Court of Appeals for the First District addressed the defendant’s argument that BIPA was subject to a one-year limitations period under section 13-201 while plaintiffs claimed BIPA was subject to a five-year statute of limitations under 13-205.

The Illinois legislature did not provide a specific statute of limitations for BIPA claims. Litigants have primarily argued two statute of limitations were applicable. First, 735 ILCS 5/13-201 entitled “Defamation – Privacy” provides “[a]ctions for slander, libel or for publication of matter violating the right of privacy, shall be commenced within one year next after the cause of action accrued.” Second, 735 ILCS 5/13-205) entitled “Five-year limitation” provides a catch-all for all “actions on unwritten contracts, expressed or implied, or on awards of arbitration, or to recover damages for an injury done to property, real or personal or to recover the possession of personal property or damages for the detention or conversion thereof, and all civil actions not otherwise provided for, shall be commenced within 5 years next after the cause of action accrued.”

The Tims court did not apply a single statute of limitations uniformly to all the violation subparts of BIPA. Rather, in determining which statute of limitations individually applies to the various violation subparts of BIPA, the Court of Appeal’s determination was driven by whether the claimed BIPA violation subpart involves publication:

A private party would violate section 15(a) by failing to develop a written policy establishing a retention schedule and destruction guidelines, section 15(b) by collecting or obtaining biometric data without written notice and release, or section 15(e) by not taking reasonable care in storing, transmitting and protecting biometric data. Id. at ¶ 31 (citing 740 ILCS 14/15 (West 2018)) (emphasis added).

The Tims court further noted “[a] plaintiff could therefore bring an action under the Act alleging violations of section 15(a), (b), and/or (e) without having to allege or prove that the defendant private entity published or disclosed any biometric data to any person or entity beyond or outside itself. Stated another way, an action under section 15(a), (b), or (e) of the Act is not an action ‘for publication of matter violating the right of privacy.’” Id. at ¶ 31 (quoting 735 ILCS 5/13-201 (West 2018)) (emphasis added).

In summary, the Court of Appeals found the following statute of limitations apply to BIPA claims:

Of course, insurance coverage was not at issue in the Tims decision. It will be interesting to see how this decision, which limits the BIPA claims involving “publication,” impacts insurance coverage. Of course, the Illinois Supreme Court has found coverage for BIPA claims under the “personal injury” definition of CGL policies because of publication to third parties. See, West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (May 20, 2021). Therefore, insurers may be able to argue only one CGL policy has been potentially triggered when the BIPA publication claims are subject to a one-year statute of limitation.

This decision also misses another important aspect to determining insurance coverage for BIPA claims—accrual of the claim. While the Tims decision will offer some clarity as to the important issue of the proper statute of limitations for these claims, it left one rock unturned. Importantly, the Tims court did not address when a biometric claim accrues. Therefore, it is still unclear whether repeated conduct gives rise to a single BIPA violation or if each new violation gives rise to a new BIPA claim. While this issue causes problems on the defense side of BIPA cases, this issue is equally important when analyzing insurance coverage for BIPA claims as violations potentially span a number of policy periods.

For more information about this article, contact Todd Rowe, working at home, of course, at trowe@tresslerllp.com.

The post Did An Illinois Court Intend To Limit Coverage For BIPA Claims Under CGL Policies To One Year? appeared first on Privacy Risk Report.

Over the last couple of years, courts have struggled with whether cyber claims could trigger coverage under commercial general liability (CGL) insurance policies. While courts have found most cyber claims will not be covered as “bodily injury” or “property damage” under the typical CGL policy, some courts have struggled with whether cyber claims constitute “publication” under the advertising and personal injury coverage of a typical CGL policy.

Travelers Indemnity Co. v. Portal Healthcare Decision

On April 11, 2016, the 4th U.S. Circuit Court of Appeals issued its unpublished decision in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, L.L.C. In Portal, the 4th Circuit held medical records posted on the Internet could potentially give rise to coverage under a CGL policy.

This coverage action originates with a class action complaint filed against Travelers’ insured, Portal, alleging that Portal’s conduct resulted in the underlying plaintiffs’ medical records being posted on the Internet for more than four months. Travelers initiated the declaratory judgment action seeking a determination that there was no coverage for the class action complaint under two CGL policies it issued to Portal.

In affirming the decision by the U.S. District Court for the Eastern District of Virginia, the 4th Circuit held “that the class-action complaint ‘at least potentially or arguably’ alleges a ‘publication’ of private medical information by Portal that constitutes conduct covered under the Policies.” The 4th Circuit further held “[s]uch conduct, if proven, would have given ‘unreasonable publicity to and disclose[d] information about patients’ private lives,’ because any member of the public with an Internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online.”

Based on this reasoning, the 4th Circuit held Travelers had a duty to defend Portal in the class action. This decision highlights the importance of what happens to the sensitive information and whether there is a “publication” as that term is defined under the typical CGL policy.

Putting the Portal Decision in Context

In contrast, on May 18, 2015, the Connecticut Supreme Court affirmed a lower court’s decision finding there was no insurance coverage for more than $6 million in losses related to the exposure of private information belonging to nearly 500,000 IBM employees. In Recall Total Info. Management, Inc. v. Federal Ins. Co., the insured sought coverage under its CGL policy when it lost data storage tapes storing its customer’s private information. The tapes fell off the back of the insured’s van and it was believed that about 130 of the tapes were taken from the road by an unknown person. The CGL policy at issue provided coverage for “personal injury” which included “publication of material that…violates a person’s right to privacy.”

In analyzing this provision and the facts of this case, the Recall Total court first held there was no dispute that the information on the tapes was private, and, second, that the threshold was whether the information on the tapes had been “published.” In finding there was no coverage, the lower court held there was no evidence that the information on the tapes had been found or used after the tapes fell off the van. In reviewing the evidence, the Court found “[t]here is nothing in the record suggesting that the information on the tapes was ever accessed by anyone.” Specifically, the Recall Total lower court decision addressed the personal injury provision in the following manner:

On the basis of our review of the policy, we conclude that personal injury presupposes publication of the personal information contained on the tapes. Thus, the dispositive issue is not loss of the physical tapes themselves; rather, it is whether the information in them has been published. The plaintiffs contend that the mere loss of the tapes constitutes a publication, and has alleged that the information was published to a thief. The plaintiffs have failed to cite any evidence that the information was published and thereby failed to take their allegation beyond the realm of speculation. See, e.g., Norse Systems, Inc. v. Tingley Systems, Inc., supra, 49 Conn.App. at 591, 715 A.2d 807 (speculation or conjecture will not overcome motion for summary judgment). As the complaint and affidavits are entirely devoid of facts suggesting that the personal information actually was accessed, there has been no publication.

In its concise decision, the Connecticut Supreme Court said there was no purpose in repeating the discussion in the superior court’s “well-reasoned” January 2014 ruling.

While these decisions may arguably not involve a data breach or a classic cyber claim, many commentators believed that the Recall Total court’s reasoning would shed light on how data breach might be viewed from a coverage perspective when there is no evidence that the private or confidential information was actually published to third parties.

Portal’s Contribution to Current State of the Law

Undoubtedly, the Portal decision provides significant guidance on the issue of whether data breaches will be covered under traditional CGL policies. Prior to this decision, the body of law was limited to the reasoning of the Recall Total decision, which was in harmony with the trial court’s decision in Sony’s coverage action against Zurich. In the Sony case, which was settled before the appellate court could render its decision, the New York trial court ruled Zurich had no duty to defend because there was no “publication” under Coverage B of the CGL policy.

When the dust settles, we may see that the Portal decision has little impact with extent to medical records placed on the internet. Not all cyber claims result in information or data posted on the Internet, or in another manner, to third parties. Rather, many cyber claims involve information being taken and used for criminal acts. That is, a court may not find the information taken in the Target breach (credit card information stolen) or similar cyber incidents includes this “publication” element required to trigger CGL coverage.

The post Early Observations in Portal Healthcare Decision: CGL Coverage for Cyber Claims? appeared first on Privacy Risk Report.