Coverage litigation relating to liability claims arising out of the Illinois Biometric Information Privacy Act (“BIPA”) has been relatively non-existent. One reason for this may be insurers’ reasonable conclusion that an exclusion introduced in 2006 in response to litigation arising under the Telephone Consumer Protection Act (“TCPA”) applies to this new genre of privacy litigation. That exclusion, generically referred as the Violation of Statutes Exclusion, was the insurance industry response to decisions from around the country finding that TCPA violations qualified as “personal injury” under liability policies. The exclusion evolved over time and now includes a catch-all provision that applies to violations of federal or state statutes or ordinances or regulations other than the enumerated statutes referenced in the exclusion—the TCPA, the CAN-SPAM Act of 2003 and the Fair Credit Reporting Act (“FCRA”). The Illinois court’s opinion in Westbend Mutual Insurance Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 Ill.App.(1st) 191384, is an example of how important the wording of that catch-all provision is for insurers seeking to rely on it to exclude coverage for BIPA violations.
The insurer in Krishna first claimed that the BIPA violation did not qualify as personal injury. The court made short shrift of this assertion. Turning to the exclusion, the court observed that the catch-all in the policy applied to conduct that violated the TCPA, the CAN-SPAM Act of 2003 “or any other statutes, ordinance or regulation … that prohibits or limits the sending, transmitting, communication or distribution of material or information.”
The court rejected the insurer’s argument that the exclusion applied to BIPA claims which relate to the collection and storage of biometric information. The court instead noted that the title of the exclusion in the policy—Violation of Statutes that Govern Emails, Fax, Phone Calls or Other Method of Sending Material or Information—coupled with the catch-all provision evinced an intent to limit the exclusion to statutes regulating methods of communication only. The court held that the exclusion did not apply to the BIPA claim because that statute regulates the collection and storage of biometric information.
The version of the Violation of Statutes Exclusion the Illinois Appellate Court in Krishna construed differs from the version in other liability policies. There are more robust catch-all versions that refer to statutes, ordinances, or regulations that address, prohibit, or limit “the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material.” The express reference to “collecting” and “recording” of material as well as “disposal” should be sufficient to distinguish the Krishna analysis, which turned on what BIPA requires and prohibits.
BIPA expressly regulates how biometric information is collected, which can include a voice print which is “recorded.” See 740 ILCS 14/10; 14/15(b). BIPA also regulates disposal of the collected biometric material. See 40 ILCS 14/15(a).
Krishna is a reminder that not all exclusions are created equal. To the extent that coverage in liability policies may be exposed to BIPA claims, attention should be given to the version of the Violation of Statutes Exclusion contained in the policy. The more robust and inclusive the catch-all provision is, the stronger the likelihood that the exclusion will prevail and the insurer will be successful in disclaiming coverage. The Krishna opinion may also be a signal to insurers that the Violation of Statutes Exclusion should be revisited in this day and age in which privacy litigation will continue to proliferate as more and more states enact increasingly broad data privacy statutes.
To subscribe by email to the Insurance Coverage Notes and Developments blog, please click here.