In a new BIPA decision, coverage barred by Employment-Related Practices exclusion, but not by Access or Disclosure of PI exclusion

In American Family Mut. Ins. Co. v. Caremel, Inc., 2022 WL 79868, at *1 (N.D. Ill. Jan. 7, 2022), the Illinois federal district court ruled that a CGL policy did not provide “personal and advertising injury” defense coverage for an underlying class action brought under the Illinois Biometric Information Privacy Act (BIPA) on account of the policy’s employment-related practices (ERP) exclusion. The court also held, however, that the policy’s exclusion prohibiting coverage for unauthorized access or disclosure of personal information did not apply. The facts of the case are straightforward.   

The insured, Caremel, operated several McDonald's restaurants in Illinois. An employee of the insured filed a BIPA action against Caremel arising out of his employer’s use of a biometric time clock system to record employee time worked. According to the underlying complaint, the timekeeping system required employees to scan their fingerprints whenever they began or stopped working. This biometric data was then disclosed to Carmel's timekeeping vendor, a third party. Caremel did not obtain any consent or releases for the processing and alleged “disclosure” of the data in violation of BIPA. 

Caremel sought defense coverage. Its carrier denied coverage and commenced a declaratory judgment action, contending that several policy exclusions prohibited coverage: (1) the “Access or Disclosure Exclusion,” (2) the “ERP Exclusion,” and (3) the “Violation of Statute Exclusion.”

First focusing on the Access or Disclosure Exclusion, the court described the exclusion as prohibiting coverage for “for personal and advertising injury ... arising out of any access to or disclosure of any person’s ... confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” Citing the legal doctrine of ejusdem generis in which, where general words follow more specific words, the general words are construed and limited by the preceding specific words, Caremel argued that “because the Access or Disclosure Exclusion specifically mentions patents, trade secrets, processing methods, customer lists, financial information, and health information the reference to ‘every other type of nonpublic information’ must exclude fingerprints, which are of a different sort than the examples.”

Employing ejusdem generis and the logic reasoned by the Supreme Court of Illinois in West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc. (Ill. 2021), the federal court agreed.

Patents, trade secrets, processing methods, and customer lists are all forms of intellectual property which cannot be interpreted to include fingerprints. Financial information likewise cannot be interpreted to include fingerprints. The closest provision that could arguably be interpreted to include fingerprints would be “health information.” But to do so would stretch the definition of health information to include a physical characteristic that has nothing to do with the state of health of an individual. Moreover, to the extent that the exclusion is ambiguous, it is to be interpreted in favor of coverage. [ ] For these reasons, the Access or Disclosure Exclusion does not apply to the Ross Action.

Looking to the policy’s Violation of Statute exclusion, the court summarily held that the exclusion did not apply, concluding that “[t]his exclusion is virtually identical to the provision analyzed in Krishna.”

Finally, however, the court held that the policy’s ERP exclusion precluded coverage for the underlying BIPA class action. As described by the court, the exclusion prohibited coverage for personal and advertising injury “arising out of any ... employment related practice, policies, acts omissions, such as coercion, demotion, reassignment discipline, defamation, harassment, humiliation or discrimination directed at the person ....” The carrier argued that the exclusion applied because the alleged requirement that an employee give his or her fingerprint in the time clock was an employment-related practice. Again citing ejusdem generis, Caremel argued that the exclusion did not apply because “the harm caused by a BIPA violation is unlike the exemplar harms,” like harassment, humiliation or discrimination, listed in the exclusion.

Unlike with the “Access or Disclosure” exclusion, the court rejected the contention that ejusdem generis precluded the exclusion’s application. The court concluded that each example of harm reflected a practice that caused an individual harm, which was the type of harm BIPA sought to remedy. The court explained:

The Court further concludes that a BIPA violation is of the same nature as the exemplar employment-related practices listed in the Policy. Each of “coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation” reflect a practice that can cause an individual harm to an employee. [Citation omitted.] As discussed above, the same is true for a BIPA violation. That the conduct harmed many employees at the same time does not change this analysis. Accordingly, American may deny coverage for Caremel's expenses associated with the Ross Action under the ERP Exclusion.

For the same reasons, the court rejected Caremel’s second argument that the ERP exclusion did not apply because the practices identified in the exclusion were ones directed at an individual employee, whereas here, Caremel’s fingerprint requirement was directed at all employees. The court observed that “[t]he requirement that an employee submit his fingerprints is a requirement that applies to employees individually …. Consequently, the alleged harm, if there is any, would be experienced individually.” As a result, the underlying plaintiffs “suffer risk of individual injuries” from Caremel’s alleged failure to comply with BIPA.  

What this case means. The reasoning expressed in this opinion should not be surprising. On the one hand, many of the BIPA “fingerprint scan” lawsuits clearly arise out of a basic and fundamental employment practice – the keeping of time for compensation purposes. Many of these lawsuits allege that employees were “required” to use fingerprint time clocks, so even if one were to accept the policyholder’s ejusdem generis argument here, we still have an instance of a coercive employment practice.

Likewise, anyone who has studied the West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc. decision should not be terribly surprised by the court’s rejection of the unauthorized access or disclosure of personal information exclusion to the underlying BIPA action. We disagree with the decision and believe that the exclusion has a broader expanse than what the court accords it. However, the reasoning expressed by the court has been a recent trend in Illinois courts. As a federal decision, Illinois state courts are free to disregard it, so the coverage issues addressed in Caremel remain unsettled.