Invasion of Privacy Exclusion Bars D&O Coverage for BIPA Suit But EPL Coverage Potentially Applies
The United States District Court for the Central District of Illinois, applying Illinois law, has held that an invasion of privacy exclusion precluded D&O coverage for underlying suits alleging violations of the Illinois Biometric Privacy Act (BIPA) because the underlying plaintiffs’ injuries would not have occurred but for the insured company’s collection and use of employees’ data without their consent. Twin City Fire Ins. Co. v. Vonachen Servs., Inc., 2021 WL 4876943 (C.D. Ill. Oct. 19, 2021). The court also held that a breach of contract exclusion did not bar EPL coverage because the company could have incurred liability under BIPA even in the absence of a contract with its employees.
Two employees filed putative class action lawsuits against an insured company alleging various BIPA violations. The complaints alleged that the company required its workers to use their fingerprints in its biometric tracking and timekeeping system; used, collected, and stored employees’ fingerprints without their informed consent; and failed to inform the employees of the specific purpose and length of time such data would be retained and used. The company’s timekeeping requirements were listed in its employee handbook.
In the ensuing coverage litigation, the court held that an invasion of privacy exclusion barred D&O coverage. The exclusion precluded coverage for “Loss . . . in connection with any Claim based upon, arising from, or in any way related to any actual or alleged . . . invasion of privacy.” The court found that the phrase “invasion of privacy” included both common law and statutory violations because Illinois case law previously established BIPA violations as invasions of privacy, and that the phrase “arising out of” triggered a “but-for” test. Because none of the underlying plaintiffs’ alleged injuries would have occurred “but for” the company’s acts of collecting, using, and retaining of employees’ data without their consent, the court concluded that the exclusion barred coverage. The court also held that an insured v. insured exclusion did not apply because the underlying suits, in which the underlying plaintiffs provided information for investigation into BIPA violations, fell within a “whistleblowing” exception.
The court held that the insurer had a duty to defend under the EPL coverage part because the underlying complaints alleged invasions of privacy that occurred “at work, for work purposes (timekeeping), and as a result of the employer/employee relationship.” The court also held that a breach of contract exclusion did not preclude the insurer’s duty to indemnify under the EPL coverage part. The exclusion precluded coverage for “Loss in connection with any Claim based upon, arising from, or in any way related to liability incurred for breach of any oral, written, or implied employment contract,” but provided an exception for “liability that would have been incurred in the absence of such contract[.]” Because the company could be liable under BIPA regardless of whether they could be liable under the employee handbook, the court concluded that the exception applied.