Insurer Has Duty to Defend BIPA Lawsuit Alleging Violation of Privacy in the Creation of Fingerprint Data
The Appellate Court of Illinois, First District, applying New York law, has held that an insurer owed a duty to defend an insured in a lawsuit alleging Biometric Information Privacy Act (BIPA) violations because the allegations constituted violations of an individual’s right to privacy in “creating media material,” triggering coverage. Remprex, LLC v. Certain Underwriters at Lloyd’s London, Syndicates 2623/623, 2023 WL 2974776 (Ill. App. Ct. Mar. 31, 2023). The court also held that the insurer owed no duty to defend where there was no Claim because the insured was never named in the lawsuit.
A hardware and software provider noticed two BIPA lawsuits to its insurer. Despite not being named as a defendant, the provider voluntarily participated in the first lawsuit. The insured also received a letter requesting indemnification pursuant to contract from a defendant in that lawsuit, which the insured tendered to the insurer. The second lawsuit alleged that the insured designed and operated biometric technology software and hardware, which was used to collect, capture, and transfer fingerprints in violation of BIPA. The Insurer denied coverage for the first lawsuit because the insured was not the subject of a Claim. The insurer denied coverage for the second lawsuit because it did not allege covered Media Liability, which the subject policy defined as “one or more of the following acts committed by, or on behalf of, the Insured Organization in the course of creating, displaying, broadcasting, disseminating or releasing Media Material to the public,” including “a violation of the rights of privacy of an individual[.]” In the ensuing coverage litigation, the lower court dismissed the insured’s lawsuit and the insured appealed.
The Appellate Court agreed with the insurer that it did not owe a duty to defend the first lawsuit because the insured was not the subject of a Claim, defined in relevant part as a “written demand received by any Insured for money or services” and that coverage for the related request for indemnification was barred by the contractual liability exclusion.
Regarding the second lawsuit, the court disagreed with the insured’s argument that there was a duty to defend because the complaint alleged sharing of the fingerprint data with another entity which constituted dissemination to “the public.” In so holding, the court noted that dissemination to the public required that such data be exposed to general view and that the duty to defend was not implicated on that basis because the lawsuit did not include such an allegation.
However, the court then ruled that allegations regarding the insured’s creation of the fingerprint data stated a violation of the rights of privacy of an individual in the course of creating the fingerprint data, and therefore implicated the insured’s duty to defend. The court also held that defense of the second lawsuit fell within the exception to the unlawful collection or retention exclusion, which provided that the exclusion did not apply to claims expenses incurred in defending the insured against allegations of unlawful collection. Additionally, the court held that the insurer had no duty to defend under the policy’s data and network liability coverage because the complaint did not allege that an unauthorized third party accessed individuals’ information. Finally, the court upheld the dismissal of the insured’s bad faith, vexatious and unreasonable conduct, consumer fraud act, and common law fraud causes of action.