Partner Michael Savett Comments on Significant Decision Affecting Biometric Privacy Coverage

Law360 (May 24, 2021, 5:42 PM EDT) — The Illinois Supreme Court’s recent ruling that a tanning salon’s general liability insurer must defend it against a customer’s Biometric Information Privacy Act lawsuit will embolden policyholders to seek coverage for BIPA claims, which could lead insurers to roll out higher premiums or more limitations on data privacy coverage.

The state high court affirmed Thursday that West Bend Mutual Insurance Co. must defend Krishna Schaumburg Tan Inc. in a proposed BIPA class action under the salon’s commercial general liability — or CGL — policy, which covers claims arising from the publication of information that violates an individual’s privacy rights. The decision is the first to provide top-level guidance for attorneys dealing with the rising number of coverage disputes resulting from BIPA claims.

Attorneys who represent policyholders told Law360 that the decision provides a good road map for securing coverage for BIPA claims and could be the start of a trend in other jurisdictions. On the other hand, attorneys representing carriers said the ruling is an “alarm bell” signaling that general liability insurers should finally craft stricter data privacy exclusions.

“The Illinois Supreme Court has said it loud and clear that it believes there is coverage for BIPA claims under general liability policies for these kinds of statutory privacy violations in Illinois,” said Peter Halprin of Pasich LLP, who represents policyholders. “It may set a standard for other states that are moving in the direction of an Illinois type of BIPA regulation.”

While BIPA has been around since 2008, proposed class actions started to show up around 2017 in a surge that legal experts have attributed to public scandals over consumer data and high-profile suits brought under the act against Facebook, photo-sharing company Shutterfly and others.

Now, with Thursday’s ruling, companies facing BIPA claims will feel emboldened to seek coverage and, if necessary, bring actions seeking declarations that insurers should defend such claims, attorneys representing both policyholders and insurers agreed. In addition, individuals filing BIPA lawsuits against companies may become more confident in their settlement negotiations, believing that insurers will provide the funds, they said.

“This ruling should help give policyholders the confidence to push for coverage and not just accept the insurance companies’ initial determination, especially when they’re pushing for a duty to defend,” said Daniel J. Healy, a partner at Anderson Kill PC.

Pasich’s Halprin said the Illinois high court’s decision further shows that cyber crime and statutory privacy liability claim coverage issues are becoming a priority at both the state and federal levels, referencing the Indiana Supreme Court’s March ruling opening the door for ransomware coverage under crime insurance and a Maryland federal court’s decision last year finding coveragefor ransomware liabilities under a property policy.

Scott Godes, a partner at Barnes & Thornburg LLP, said the Illinois Supreme Court reaffirmed an important insurance principle that “when there is more than one reasonable interpretation of the policy language, then that language is ambiguous and must be construed in favor of coverage.”

The state high court construed “publication” broadly in the tanning salon’s favor, finding there is more than one potential meaning of the term that encompasses a situation when information was given to just one party, instead of to the public at large.The underlying class action alleges Krishna violated the statute by storing and distributing customers’ fingerprint data to a single vendor without their consent.

The court’s ruling on the publication issue is not just significant for BIPA violation claims but also sets an important precedent for all data privacy coverage litigation in other states, Godes added.

But the ruling’s potential breadth is precisely what is concerning to attorneys who represent insurers.

“This decision is a ringing alarm bell,” said Andrew G. Lipton of Robinson & Cole LLP. “What it basically says to noncyber insurers is that they should be very careful about general liability policies and others like it and make sure that the right exclusions are in place.”

Laura Foggan, a partner at Crowell & Moring LLP, said the ruling could have a big impact outside of BIPA violation claims because the Illinois Supreme Court applied “a big expansion” of the word “publication,” which is included in the standard personal and advertising injury provisions of CGL policies. So policyholders could rely on the ruling to expand the definition of personal and advertising injury, she added.

Foggan said insurers are definitely starting to look at their underwriting processes and are screening more strictly to determine whether a company collects personal identifiable information. Insurers may change policy premiums accordingly after Thursday’s decision, she said, and a BIPA-specific exclusion may not be far away.

Michael S. Savett, a partner at Clark & Fox who also represent carriers, said the high court ruling will be “an engine for class action attorneys and plaintiffs attorneys to be filing a lot of lawsuits” and compel all parties to pour more bucks into litigation efforts because policyholders may push the boundaries for coverage in other data privacy litigation efforts.

“This is going to cost everybody more money at the end of the day, whether it’s more premiums, whether it’s additional legal fees. I don’t think it’s a win-win for anyone,” he said.

Savett said insurance carriers will also engage in a lot more disputes on the meaning of common CGL policy exclusions, such as confidential information exclusions, employment practice liability exclusions and advertising injury exclusions.

Indeed, insurers will not necessarily have to defend BIPA claims going forward, because the defense duty still depends on the specifics of the insurance claim and any relevant policy exclusions, said Jonathan L. Schwartz, co-chair of Goldberg Segalla’s cybersecurity and data privacy group.

This Krishna case is different from the “vast majority” of BIPA lawsuits because the plaintiff was a customer, Schwartz said. If the underlying lawsuit is brought by the policyholder’s employees, and the policy has an employment practice exclusion or a violation of privacy rights exclusion, insurers can still point to those exclusions to argue against coverage, he said.

Furthermore, attorneys representing insurers said there will be significant pushback by insurers to avoid similar types of rulings outside of Illinois and to try to make the case an outlier. Efforts to challenge the Krishna decision’s reach will be important because “one has to imagine that other states are going to enact very similar statutes or something with a biometric information protection element to it,” said Lipton, of Robinson & Cole.

As it stands, BIPA is the only statewide biometric privacy law that permits private plaintiffs to sue for violations; biometric data protection laws on the books in Texas and Washington state leave enforcement up to those states’ attorneys general. But earlier this year, lawmakers in New York and Maryland each pitched biometric privacy legislation providing for a private cause of action akin to BIPA’s.

“So a decision like this can be problematic in the future,” Lipton said. “It’s really a roll of the dice.”