The U.S. District Court for the Northern District of Illinois recently held that several policy exclusions failed to unambiguously and conclusively bar coverage for a purported class action brought under Illinois’ Biometric Information and Privacy Act (“BIPA”). In Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, 20-cv-05980 (N.D. Ill. Mar. 1, 2022), Citizens Insurance Company of America and Hanover Insurance Company (the “Insurers”) sold Thermoflex insurance policies (the “Policies”) that, among other things, obligated the Insurers to defend and indemnify Thermoflex in suits arising out of privacy violations. Gregory Gates—an employee of Thermoflex—brought a purported class action against Thermoflex alleging that Thermoflex’s collection of its employees’ handprint data, which was allegedly used for authentication and timekeeping purposes, violated Illinois’ BIPA. Thermoflex sought coverage under the Policies. After denying Thermoflex’s request, the Insurers brought suit asking the District Court to declare that they owed no duties to defend or indemnify Thermoflex in the Gates lawsuit.
The Policies provided coverage for, among other things, “personal and advertising injury,” which included injuries “arising out of . . . [o]ral or written publication, in any matter, of material that violates a person’s right of privacy.” There was no disagreement that the Gates lawsuit brought for violations of BIPA arose out of an alleged privacy violation. Instead, the Insurers argued that three policy exclusions barred coverage: the Employment-Related Practices Exclusion, the Recording and Distribution of Material or Information Exclusion, and the Access of Disclosure of Confidential or Personal Information Exclusion.
Employment-Related Practices Exclusion.
Much of the Court’s analysis turned on whether the provisions of the exclusions were ambiguous. The Employment-Related Practices Exclusion, for example, precluded coverage for “personal and advertising injury” arising out of “employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution directed at that person.” The District Court found that while collection of handprints, or more generally, biometric information, was not expressly listed, the use of the phrase “such as” in the exclusion was illustrative and not intended to be a limiting or an exhaustive list of excluded conduct. According to the District Court, however, it was not clear whether the collection of employees’ handprints was an employment-related practice like those listed in the exclusion. The District Court reasoned that some of the listed examples (defamation, harassment, discrimination, and malicious prosecution for example) could be viewed as types of legal claims, while others (demotion, evaluation, reassignment, and humiliation) could be viewed as types of employer conduct. Although the “privacy violation” at issue in the Gates lawsuit could be understood as a claim, or a “BIPA violation,” it could also be understood as employer conduct, such as “collection of biometric information” or “collection of handprints.” “The mixture of examples in the Employment-Related Practices exclusions amplifie[d] the ambiguity of the exclusions as applied in this case.” Accordingly, the exclusion did not unambiguously preclude coverage and did not absolve the Insurers of their obligation to defend Thermoflex.
Notably, the District Court disagreed with the recent ruling in American Family Mutual Insurance Co., S.I. v. Caramel, Inc., in which another judge in the Northern District granted summary judgment to an insurer after interpreting a similar employment-related practices exclusion as barring coverage in the underlying BIPA suit. American Family, No. 20-cv-637 (N.D. Ill. Jan. 7, 2022). In American Family, the Court explained that “a BIPA violation is of the same nature as the exemplar employment-related practices listed in the Policy” because, like BIPA, “[e]ach of ‘coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, [and] humiliation,’ reflect a practice that can cause an individual harm to an employee.” Id. at 10. The District Court in Thermoflex disagreed. Instead, the Court reasoned that reading the exclusions as barring any employment-related practices that “can” cause harm to an employee would potentially preclude coverage for any claim against an employer. Such a result, according to the District Court, would be contrary to the rule that policy exclusions must “be read narrowly and . . . applied only where . . . clear, definite, and specific.”
Recording and Distribution Exclusion.
The District Court next looked at provisions of the Policies excluding coverage for “personal injuries” arising out of any action or omission that violates the TCPA, the CAN-SPAM Act of 2003, the FCRA or FACTA, or similar statutes. The District Court focused on a “catch-all” provision in the exclusion, which precluded coverage for “personal and advertising injury” arising out of any action or omission that violates or is alleged to violate any federal, state or local statute, ordinance or regulation, other than the listed statute “that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” According to the District Court, on its face, the BIPA is not “of the same kind,” as the TCPA, the CAN-SPAM Act, or the FCRA. The TCPA and CAN-SPAM regulate methods of communication, such as telephone calls or emails, while the FCRA regulates the use of materials such as background reports. The BIPA, by contrast, regulates the collection, use, storage, and retention of biometric identifiers and information. At best, the District Court found it was unclear whether BIPA is sufficiently similar to those other statutes; and at worst, reasoned that the BIPA is different in kind altogether. Thus, the District Court found that the exclusion “may be viewed as ambiguous . . . [and] must be construed in favor of finding coverage” for Thermoflex.
Access or Disclosure Exclusion.
Finally, the District Court considered application of the Access or Disclosure exclusion, which precluded coverage for “personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information. Again, biometric information was not specifically listed in the exclusion, so the Court’s analysis turned on whether that information fell within the catch-all for “any other type of nonpublic information.”
In analyzing the exclusion, the District Court relied on the doctrine of noscitur a sociis, which requires that the catch-all provision be interpreted “by the company it keeps.” Accordingly, the “other type[s] of nonpublic information” excluded from coverage should be “given more precise content by the neighboring words with which they are associated.” The Access or Disclosure Exclusion targets various types of “confidential or personal information.” All the listed examples “are types of sensitive information traditionally kept private—whether for financial/proprietary reasons in the case of patents, trade secrets, processing methods, customer lists, financial information, and credit card information, or for personal reasons in the case of health information.” According to the District Court, however, handprints do not “share [the] attribute[s] . . . of privacy or sensitivity. Indeed, BIPA expressly distinguishes between ‘biometric identifiers,’ and ‘confidential and sensitive information.’” with the former category including “scans of hand or face geometry.” The Court further noted that the BIPA also makes clear that biometrics are unlike other unique identifiers that are used to access finances or other sensitive information.
In short, applying the noscitur a sociis canon to the Access or Disclosure Exclusion yielded “more than one reasonable interpretation,” according to the Court. As with other exclusions discussed above, at best it was unclear whether BIPA treats handprints as “confidential and sensitive information.” Thus, the District Court resolved the ambiguity in the exclusions in favor of Themoflex. Having found that none of the exclusions unambiguously precluded coverage, the District Court held that the Insurers had a duty to defend Thermoflex in the BIPA class-action lawsuit.