chevron-down Created with Sketch Beta.

TortSource

Spring 2024

Spring into Action: Making Sure Your Coverage House Is in Order in Light of Growing Cyber Risks and Claims

Steven Weisman and Margaret Andresini

Summary

  • As more states enact BIPA-like laws, more BIPA-related lawsuits will be filed, and more companies will seek coverage for such lawsuits.
  • Here at the steps an insured should take to position itself for insurance coverage for BIPA-like claims.
Spring into Action: Making Sure Your Coverage House Is in Order in Light of Growing Cyber Risks and Claims
Oscar Wong via Getty Images

Jump to:

As April’s showers fall and May’s flowers bloom, many of us will partake in an age-old springtime ritual: spring cleaning. We’ll store away our winter coats, clean the windows, vacuum behind the couch, and take time to attend to any deferred maintenance and repairs throughout the home. In light of the ever-growing cyber-related risks and claims, insureds also should take time this spring to review their insurance program to assess whether they possess coverage for such risks and claims and to determine whether and to what extent they should try to enhance that coverage. A brief examination of recent BIPA-related insurance coverage cases serves as a helpful reminder that having a revitalized and robust insurance program—that includes cyber insurance policies—is essential.

Illinois’ Biometric Information Privacy Act (BIPA)—a state law enacted in 2008—regulates the collection, use, storage, and destruction of biometric identifiers and information, such as fingerprints, iris scans, and voiceprints. BIPA requires companies that collect biometric data to receive written consent from employees and customers and to develop a written policy regarding the collection, retention, and destruction of biometric data. In this way, BIPA takes a “rights-based” approach to individuals’ biometric data. Recently, this approach has caught on, with Colorado, Connecticut, Utah, and Virginia now having similar laws, and Florida, Montana, Iowa, Tennessee, and Indiana expected to enact similar laws soon. As more states enact BIPA-like laws, more BIPA-related lawsuits will be filed, and more companies will seek coverage for such lawsuits. Accordingly, it is instructive to know how Illinois courts have wrestled with BIPA-related coverage claims.

Illinois courts, when examining violation of law (VOL) exclusions in commercial general liability policies, have found—until recently—that coverage exists for BIPA-related claims. (The one exception to this generality was the Northern District of Illinois’s 2022 decision in Continental Western Insurance Co. v. Cheese Merchants of America, LLC; however, that case was abrogated by the Seventh Circuit’s 2023 decision in Citizens Insurance Co. of America v. Wynndalco Enterprises, LLC, which is discussed below). For instance, in the seminal state supreme court case West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., 183 N.E.2d3d 47 (Ill. S.Ct. 2021), the Illinois Supreme Court found the VOL exclusion at issue did not apply to alleged BIPA violations. West Bend centered on a tanning salon’s alleged sharing of biometric identifiers and information with a third-party vendor; the Court determined this was sufficient to trigger coverage under the salon’s general liability policy’s personal or advertising injury coverage part. Id. at 55-58. The Court then analyzed whether the insurance policy’s VOL exclusion barred coverage for the lawsuit. The exclusion at issue barred coverage if an insured allegedly violated the Telephone Consumer Protection Act (TCPA), the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), or any law that “prohibits or limits the sending, transmitting, communicating or distribution of material or information.” Id. at 52. The court concluded that BIPA, which relates to the collection of biometric information, did not so qualify. Id. at 60. Until recently, West Bend was controlling authority when it came to analyzing VOL exclusions for BIPA-related coverage claims.

That changed, however, in December 2023 when an Illinois Appellate Court decided The National Fire Insurance Company of Hartford v. Visual Pak Co., Inc. 2023 IL App. (1st) 221160. In that case, the appellate court held the general liability policy’s VOL exclusion did apply to alleged BIPA violations, such that the insurer had no duty to defend the insured against claims that it had “collected, stored, used, or disseminated” employee fingerprints in violation of BIPA. Id. at ¶ 8. In so holding, the Illinois Appellate Court distinguished Visual Pak from West Bend and found fault with the Seventh Circuit’s reasoning in another major BIPA coverage case: Citizens Insurance Co. of America v. Wynndalco Enterprises, LLC. Examining Visual Pak’s reasoning emphasizes the importance of each policy’s unique language.

Visual Pak and West Bend

The Illinois Appellate Court distinguished the policy language at issue in Visual Pak from that in West Bend, deeming West Bend inapplicable for three reasons.

First, the Illinois Appellate Court compared the VOL exclusions’ catchall provisions. The Appellate Court noted that the catchall in West Bend was narrow, applying only to violations of laws that “prohibi[t] or limi[t] the sending, transmitting, communicating or distribution of material or information.” Visual Pak, 2023 IL App (1st) 221160, ¶ 47. The court observed that the Visual Pak policy’s VOL exclusion catchall was broader because it included the words “dissemination, disposal, collecting, [and] recording…of material or information.” Id. at ¶ 52. The court, significantly, determined that broader catchall language describes BIPA.

Second, the Illinois Appellate Court compared and analyzed the respective titles of West Bend’s and Visual Pak’s VOL exclusions. The exclusion’s title in West Bend read “Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information.” The Illinois Appellate Court, applying the principle of ejusdem generis to the title’s language, determined that the exclusion in West Bend applied only to laws pertaining to modes of communication. By contrast, the title of the exclusion before the Appellate Court in Visual Pak read, “Recording and Distribution of Material or Information in Violation of the Law.” Focusing on the word “recording” in the title, the Appellate Court found the subject Visual Pak exclusion applied more broadly than the West Bend exclusion because it included the “illegal[ ] taking and keeping a record of one’s information.” Id. at ¶ 72. From there, the Appellate Court determined that the catchall in Visual Pak’s policy applied to alleged BIPA violations.

Third, the Appellate Court, further applying the principle of ejusdem generis, distinguished West Bend’s and Visual Pak’s VOL exclusions by focusing on the different statutes listed in each. The West Bend exclusion listed only the TCPA and CAN-SPAM Act, whereas the Visual Pak exclusion referenced the TCPA, CAN-SPAM Act, the Fair Credit and Reporting Act (FCRA), and the Fair and Accurate Credit Transaction Act (FACTA). The Appellate Court acknowledged that the addition of the FCRA and FACTA made it impossible “to limit the exclusion to statutes regulating methods of communication,” as the Illinois Supreme Court had done in West Bend. Id. at ¶ 64 (citing Citizens Ins. Co. of Am. V. Wynndalco Enter., LLC, 70 F.4th 987, 1002 (7th Cir. 2023)).

Accordingly, the Appellate Court deemed West Bend inapposite to the VOL exclusion before it and held the VOL exclusion barred coverage for the BIPA claim.

Visual Pak and Wynndalco

Like Visual Pak, Wynndalco concerned a VOL exclusion that explicitly listed the TCPA, CAN-SPAM Act, FCRA, and FACTA. The Seventh Circuit acknowledged these four statutes touch on different aspects of privacy, with the TCPA and CAN-SPAM Act addressing seclusion (the right to be left alone), and FCRA and FACTA pertaining to secrecy (the right to keep confidential one’s personal information). Yet, the Seventh Circuit determined privacy was not the “focus of the exclusion” such that the “the layperson or business purchasing this policy” would understand the exclusion as applying to privacy laws generally. See Wynndalco, 70 F.4th at 1003.

The Illinois Appellate Court in Visual Pak disagreed with the Seventh Circuit. The Appellate Court found the four statutes could be grouped together under the common theme of privacy and believed “an insured purchasing this business liability insurance…[could] understand that these groups of statutes touch on various aspects of an individual’s personal privacy, though not precisely in the same way.” Visual Pak, 2023 IL App (1st) 221160, ¶ 70. Thus, the Illinois Appellate Court deemed Wynndalco wrongly decided and held instead that “violations of BIPA are included within the catchall exclusion and the…plaintiffs owe no duty to defend.” Id. at ¶ 47.

The Impact of Visual Pak

The District Court for the Northern District of Illinois, Eastern Division in Citizens Insurance Co. of America v. Mullins Foods Products, Inc. revealed the impact of the Visual Pak VOL exclusion decision. The District Court in that case had denied summary judgment to insurer Citizens on July 31, 2023. On December 21, 2023 – mere days after the Illinois Appellate Court decided Visual Pak – Citizens filed with the District Court a motion for reconsideration. Then, on February 27, 2024, the District Court granted Citizens’s motion for reconsideration and granted Citizens summary judgment on the ground that the subject VOL exclusion barred coverage for the BIPA claim against Mullins Foods. The District Court explained, “Visual Pak best represents how the Illinois Supreme Court would decide whether the [VOL exclusion at issue] includes violations of BIPA.” Citizens Ins. Co. of Am. v. Mullins Food Prod., Inc., No. 22-CV-1334, 2024 WL 809111, at *9 (N.D. Ill. Feb. 27, 2024). The District Court then discussed Wynndalco’s and Visual Pak’s examination of the catch-all provision, title of, and the statutes listed within the Mullins Foods VOL exclusion. Id. at *10-11. Notably, the District Court also considered the applicability of the policy’s Access or Disclosure of Confidential or Personal Information Exclusion and found the underlying lawsuit fell within the scope of this exclusion – in addition to the VOL exclusion. Id. at *11-15. The District Court then distinguished West Bend and found it “not directly controlling.” Id. at *11.

As Visual Pak and Mullins Foods indicate, the precise policy language at issue—including even the title of an exclusion—may make or break a coverage determination. Moreover, unless and until the Illinois Supreme Court weighs in on the VOL exclusions at issue in Visual Pak and Mullins Foods and holds differently, Illinois state and federal courts likely will hold for the insurer when determining whether similar VOL exclusions apply to BIPA claims coverage.

Action Items

So, what is an insured to do to position itself for insurance coverage for BIPA-like claims? Of course, the Illinois courts’ decisions do not offer precedential value for insurance coverage disputes subject to another state’s law. That said, prudent insureds concerned about facing BIPA-like lawsuits should do some spring cleaning of their insurance programs.

First, if an insured has a VOL exclusion in any insurance policy that might otherwise provide coverage for BIPA-like claims, the insured should try to keep that exclusion as narrow as possible like in the West Bend policy and otherwise eliminate reference to any activity or law that arguably could relate to BIPA-like claims. Second, an insured also should try to limit the VOL exclusion’s application to a final adjudication of a violation of a law. Such a limitation might then provide coverage for, at least, defense costs incurred in connection with a claim that includes alleged violation of law. Third, VOL exclusions aside, insureds should review their cyber insurance policies to ensure coverage extends to claims arising from the alleged misuse, collection, including the unlawful collection, of personally identifiable information. This step is especially important because some cyber policies limit coverage to breach response services arising out of actual or reasonably suspected data or security breaches. Thus, a claim alleging injury or damages from the mere collection and use of personally identifiable information arguably may not trigger coverage under such a limited cyber policy.

Take for instance Remprex, LLC v. Certain Underwriters at Lloyd’s London, 2023 IL App (1st) 211097, decided in March 2023. There, the Illinois Appellate Court in the First Judicial District (applying New York law) held that an insured’s cyber policy provided coverage against alleged BIPA violations because of the policy’s broad definitions of “media material” and “media liability.” The cyber policy provided that media liability means one or more of the following acts committed by, or on behalf of, the Insured Organization in the course of creating, displaying, broadcasting, disseminating or releasing Media Material to the public. . . 2. A violation of the rights of privacy of an individual, including false light, intrusion upon seclusion and public disclosure of private facts. Id. at ¶ 32. However, the policy excluded any loss arising out of the “unlawful collection or retention of Personally Identifiable Information or other personal information by or on behalf of the Insured Organization,” but it did not apply to “Claims Expenses incurred in defending the Insured against allegations of unlawful collection of Personally Identifiable Information.” Id. at ¶ 33.

The complaint alleged that Remprex had collected plaintiff’s fingerprints in violation of Illinois’s Privacy Act. The insurer argued the cyber policy afforded no coverage because the claim was not for alleged data or security breaches (e.g., claims for the alleged unauthorized access to or use of computer systems). The court, however, determined that the claim triggered the cyber policy’s media liability coverage part. While the court rejected Remprex’s argument that the underlying claim triggered media liability coverage because media material was not allegedly disseminated to the public, the court determined that the underlying claim triggered media liability coverage because it sufficiently alleged the right to privacy was violated during the course of creating media material (i.e., the fingerprints). Id. at ¶ 72. Accordingly, the Appellate Court held the insurer was obligated to provide coverage for “expenses incurred in defending the insured against allegations of the unlawful collection of personally identifiable information,” which the Appellate Court found was “precisely what the…complaint accused Remprex of doing.” Id. at ¶ 73.

In short, this spring, just as we take steps to make sure our physical house is in order, insureds should take steps to make sure their insurance policy house is in order. Coverage discussed herein is just one potential risk rubric among many that insureds should consider when reviewing and evaluating their coverage program.

    Author