A recent Illinois appellate court decision found that West Bend Mutual Insurance Company had a duty to defend its insured, Krishna Schaumburg Tan (a “L.A. Tan” franchisee), for violations of Illinois’ Biometric Information Privacy Act (the “BIPA”) under a businessowners liability policy issued by West Bend. Specifically, in Krishna Schaumburg Tan, Inc. v. West Bend Mut. Ins. Co., 2020 IL App (1st) 191834 (Mar. 20, 2020), an Illinois appeals court held that an underlying class action complaint alleging violations of the BIPA triggered West Bend's duty to defend under the “invasion of privacy” prong of the policy's personal injury coverage.
As a refresher, the Illinois BIPA imposes restrictions on how private entities collect, retain, disclose and destroy biometric identifiers, including retina or iris scans, fingerprints, voiceprints, scans of hand or face geometry, or biometric information. Under the BIPA, any person “aggrieved” by a violation of its provisions “shall have a right of action…against an offending party” and “may recover for each violation” the greater of liquidated damages or actual damages, reasonable attorney fees and costs, and any other relief, including an injunction, that the court deems appropriate.
The underlying plaintiff, Klaudia Sekura, filed a proposed class action complaint against Krishna in April 2016, alleging in part that Krishna had violated her rights and the rights of those similarly situated under the BIPA. According to the complaint, when someone first purchases a service at Krishna, that customer is enrolled in the L.A. Tan national membership database to allow them to use their membership at any L.A. Tan location and are required to have their fingerprints scanned for the purpose of verifying their identification. Plaintiff further stated that she was never provided with, nor signed, a written release allowing Krishna to disclose her biometric data to any third party. She alleged that Krishna violated the BIPA by, among other things, disclosing her fingerprint data to an out-of-state third-party vendor, SunLync, without her consent in violation of the act.
West Bend issued consecutive policies to Krishna, which provided “Businessowners Liability Coverage” for damages because of “personal injury” caused by an offense committed in the insured’s business. The policies defined “personal injury” to include injury, other than bodily injury, arising out of oral or written publication of material that violates a person’s right of privacy. Additionally, the policies included a “violation of statutes” exclusion that barred coverage for personal injuries “arising directly or indirectly out of any action or omission that violates or is alleged to violate” the TCPA, the CANSPAM Act of 2003 (15 U.S.C. § 7701 et seq. (2012)), or “[a]ny statute, ordinance or regulation…that prohibits or limits the sending, transmitting, communication or distribution of material or information.”
The crux of the court’s decision focused on whether Krishna’s violation of the BIPA constituted a “publication” under the policies’ personal injury coverage. In the underlying complaint, Plaintiff alleged that Krishna violated the BIPA by providing her fingerprint data to a single third-party vendor, SunLync. West Bend argued that “publication” requires communication of information to the public at large, not simply a single third party, and that Plaintiff’s allegation therefore did not charge Krishna with a “publication.” In distinguishing case law cited by West Bend, the court rejected its narrow interpretation of the term, instead finding the allegations sufficient to allege a publication.
As the term “publication” was undefined in the policies, the court resorted to common understandings and dictionary definitions of “publication” to define the scope of the term. The Appellate Court reasoned that “publication” clearly includes both the broad sharing of information to multiple recipients (see e.g. the court’s prior decision in Valley Forge), and a more limited sharing of information with a single third party. The Oxford English Dictionary, for example, defines “publication” as both “[t]he action of making something publicly known” and “Law. Notification or communication to a third party or to a limited number of people regarded as representative of the public.” In the defamation context, Black’s Law Dictionary defines “publication” as “communication of defamatory words to someone other than the person defamed” and says specifically that “[a] letter sent to a single individual is sufficient.”
The parties did not dispute that the complaint alleged facts that fit within the rest of the “personal injury” definition, namely that there was a provision of material in violation of Plaintiff’s right to privacy. Thus, because the court found that a common understanding of “publication” encompassed the insured’s act of providing Plaintiff’s fingerprint data to a third party, there also existed potential that Plaintiff’s claim against Krishna was covered by the policies. As such, West Bend had a duty to defend Krishna against the underlying BIPA complaint pursuant to the “personal injury” coverage provision.
As respects the “violation of statutes” exclusion, West Bend argued that the exclusion applied because the BIPA is a statute that “prohibits or limits the sending…of material or information” and the only way to read act is that it “limits or prohibits the communication of biometric information unless the conditions set forth therein are met.” Read in its entirety, however, the court found that the exclusion was not intended to bar coverage for a violation of a statute like the BIPA. According to the court, the exclusion was meant to bar coverage for the violation of a very limited type of statute that is evidenced first from the exclusion’s title (which West Bend conveniently shortened to “Violation of Statutes”). The title, as a whole, was: “Violation of Statutes That Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information.” Thus, the court reasoned that the title made clear that the exclusion applies to statutes that govern certain methods of communication, i.e., e-mails, faxes, and phone calls, not to other statutes that limit the sending or sharing of certain information.
In short, the court found that the violation of statutes exclusion applied only to bar coverage for violations of statutes that regulate methods of communication. “The [BIPA] says nothing about methods of communication. It instead regulates ‘the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.’ 740 ILCS 14/5(g) (West 2014).” As the complaint only alleged a violation of the BIPA, which does not regulate methods of communication, the exclusion did not apply to bar coverage.
