An Illinois appellate court recently held that insurance company, West Bend Mutual Insurance, has a duty to defend its policyholder, Krishna Schaumburg Tan Inc., in a lawsuit claiming violations of the Biometric Information Privacy Act ("BIPA"). BIPA is an Illinois law, passed in 2008, meant to guard against the unlawful collection and storing of biometric information. The law requires, among other provisions, that companies doing business in Illinois obtain consent from individuals if the company intends to collect or disclose their personal biometric identifiers.
In the underlying class action, plaintiff Klaudia Sekura alleged that the tanning salon collected her fingerprint in order to verify her identification. Sekura alleges her fingerprint was unlawfully stored – a method the salon uses as a way to grant customers access to affiliated salons across the country – and disclosed to a third-party vendor called SunLync without her authorization.
While West Bend Mutual Insurance initially agreed to defend Krishna Schaumberg Tan Inc., it reserved the right to challenge its coverage obligation and eventually sued in Cook County Circuit Court claiming that it had no duty to defend the tanning salon. The insurance company argued that under its policy's exclusion provision, the company was not under a duty to defend because of the salon's violation of BIPA.
The exclusion provision states that coverage is excluded for any "bodily injury, property damage, personal injury, or advertising injury arising directly or indirectly out of any action or omission that violates or is alleged to violate: (1) The Telephone Consumer Protection Act (TCPA), including any amendments of or addition to such law; or (2) The CAN-SPAM ACT of 2003, including any amendment of or addition to such law; or (3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of materials or information." Alternatively, the insurance carrier claimed that the alleged violation was not covered because it did not meet the policy's "distribution" requirement since Sekura's fingerprint was only disclosed to one party, SunLync, and not to the public at large.
The Illinois First District Appellate Court affirmed the Cook County Circuit Court judge's holding that the plaintiff's allegations were covered under the policy's personal injury section describing invasion-of-privacy actions. Additionally, the appellate court agreed with the trial judge's finding that the policy's "publication" requirement was met. The court expressed that "publication" includes both the general sharing of information to multiple parties and a more limited sharing with a single recipient.