Court Finds No Coverage For BIPA Claim Based Upon Violation-Of-Laws Exclusion – by Nicholas J. Daly, Prathyusha Matam

Fingerprint mapping, retinal scanning, facial and voice recognition, and other biometric identifiers are no longer just the stuff of futuristic films. These metrics have all become increasingly common in our everyday world from accessing your phone, to starting your shift at work. And while these advanced technologies can certainly elevate our lifestyle and productivity, the collection, storage, and use of these metrics can also present new and unique questions when it comes to insurance coverage. These questions, and disagreement among courts in how to handle them in the legal landscape, were recently highlighted in Illinois state court in The National Fire Insurance Company of Hartford, et al. v. Visual Pak Company, Inc., et al., 2023 IL App (1st) 221160 (December 19, 2023).

In its ruling of December 19, 2023, the Illinois First District Appellate Court held that the violation-of-law exclusion in a general liability insurance policy issued to Visual Pak Co., a packaging business, precluded coverage for alleged violations of Illinois’ Biometric Information Privacy Act, 740 ILCS 14/15 (“BIPA”). Significantly, in doing so, the First District Appellate Court rejected the Seventh Circuit Court of Appeals’ holding in Citizens Insurance Co. of America v. Wyanndalco Enterprises, LLC, et al., 70 F.4th 987 (7th Cir. 2023), which found that a virtually identical policy exclusion was ambiguous, and that its broad scope rendered a significant portion of the policy’s coverage illusory.

The underlying facts of Visual Pak are increasingly common in litigation across the U.S. An employee, who was required to scan his fingerprint at the beginning and end of each workday, sued his employer on behalf of himself and other employees similarly situated alleging that his employer violated BIPA by collecting, storing, using, or disseminating his fingerprints without his consent, did not have any policies in place regarding the retention and deletion of his fingerprints, failed to inform him of how his biometric information would be used, and failed to provide him with a release for the use of his biometric information. The employer then tendered the lawsuit to its three insurers. Two of those insurers denied coverage based upon the violation-of-law exclusion in their general liability insurance policies which precluded coverage for personal and advertising injury arising out of any action or omission violating or alleged to violate the Telephone Consumer Protection Act, the CAN-SPAM Act of 2003, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act or “any federal, state or local statute, ordinance or regulation, other than [the enumerated Acts], that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”

The underlying suit ultimately included 13,000 class-action plaintiffs and was settled by the employer for $19.5 million. The employer then assigned its rights under the policies and the insurers filed an action seeking a declaration of no coverage.

The Court engaged in a deep analysis of the ejusdem generis and nonscitur a sociss canons to analyze whether the exclusionary language of the catchall provision precluded coverage of this BIPA violation. Ejusdem generis, meaning “of the same kind,” is a canon that “seeks to identify a common theme among a list of items, a theme that would provide a limitation on the more general, catchall language that follows that list.” The Court analyzed the title of the above cited exclusion: “Recording and Distribution of Material or Information In Violation of Law,” as well as the statutes listed in the exclusion. The Court explained that “the TCPA and CAN-SPAM Act deal with a consumer’s freedom from unwanted solicitations, while the FCRA and FACTA protect a consumer’s confidentiality in his or her financial information.” They all pertain to personal privacy. Thus, using the doctrine of ejusdem generis, the scope of the catchall exclusion is limited to the violation of statutes or laws that protect personal privacy.

Even though BIPA was not specifically listed in the exclusion, the Court reasoned that, “[T]he catchall provision is amenable to a reasonable limiting construction of statutes or other laws that protect personal privacy. BIPA is clearly one such statute. So an underlying lawsuit alleging a violation of BIPA would fall under the catchall phrase of the violation-of-laws exclusion.” The Court found that BIPA clearly fits within the same category of laws protecting personal privacy because it “regulates the collection, dissemination, and disposal of one’s biometric identifiers and information.” Thus, the Court found that coverage is excluded.

Significantly, in applying the violation-of-laws exclusion to BIPA claims, the Court in Visual Pak rejected the U.S. District Court for the Seventh Circuit’s holding in Citizens Insurance Co. of America v. Wyanndalco Enterprises, LLC, et al., 70 F.4th 987 (7th Cir. 2023), which found that a virtually identical policy exclusion was ambiguous, and that its broad scope rendered a significant portion of the policy’s coverage illusory. The Court in Visual Pak explained that an exclusion is only broad and illusory when “the exclusion has the effect of ‘swallowing’ the coverage entirely.” Application of the exclusion to BIPA claims would not completely do away with the personal and advertising injury coverage, as the exclusion still only precludes coverage for statutory causes of action related to personal privacy. To the contrary, there are still common-law actions that would fall outside the scope of the exclusion: (1) intrusion upon the seclusion of another, (2) appropriation of another’s name or likeness, (3) public disclosure of private facts, and (4) publicity placing another in a false light.

Given the potential for significant verdicts in lawsuits asserting BIPA violations, the Visual Pak decision is a major victory for insurers equipped with similar violation-of-law exclusions. However, both Illinois state courts and federal courts interpreting Illinois law remain divided on whether violation-of-law exclusions apply to BIPA claims. Nevertheless, insurers should consider explicitly including BIPA in their exclusionary language, the same way that the FCRA, FACTA, TCPA, and CAN-SPAM Act are commonly listed.