Illinois Federal Court Holds No Duty to Defend Lawsuit Alleging BIPA Violations

The United States District Court for the Northern District of Illinois, applying Illinois law, has held that an insurer had no duty to defend an insured against a lawsuit alleging violations of the Illinois Biometric Information Privacy Act (BIPA) because two exclusions applied. Citizens Ins. Co. of Amer. v. Mullins Food Prods. Inc., 2024 WL 809111 (N.D. Ill. Feb. 27, 2024).

The insured was named as a defendant in a putative class action lawsuit alleging wrongful dissemination of private biometric information in violation of BIPA and tendered the suit to its general liability insurer. The insurer denied coverage and brought a declaratory judgment action seeking a declaration that it had no duty to defend or indemnify. The parties cross-moved for summary judgment, and the insurer’s motion was mostly denied. After the summary judgment ruling, an Illinois intermediate appellate court issued a decision in The National Fire Insurance Co. v. Visual Pak Co., No. 2020 CH 06897 (Ill. App. Ct. Dec. 19, 2023), which addressed the same policy provisions. The insurer then moved the federal court to reconsider its summary judgment ruling in light of Visual Pak. Wiley’s coverage of the Illinois intermediate appellate court decision in Visual Pak is available here.

In this case, the insurer relied upon a “Recording and Distribution of Material or Information in Violation of Law” exclusion and an “Access or Disclosure of Confidential or Personal Information” exclusion. Applying principles of Illinois contract law set forth in Visual Pak, the federal court granted the insurer’s motion for reconsideration and held that both exclusions barred coverage for BIPA claims.

In relevant part, the policy’s “Recording and Distribution of Material or Information in Violation of Law” exclusion barred coverage for personal and advertising injury arising directly or indirectly out of any action or omission that violates or is alleged to violate the Telephone Consumer Protection Act (TCPA); the CAN-SPAM Act of 2003, the Fair Credit Reporting Act (FCRA); or “[a]ny federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” The court ruled that “violations of BIPA are included within the catch-all provision” of the exclusion “under either the plain-reading of the catch-all provision or by applying the doctrine of ejusdem generis to limit the scope of the catch-all to the violation of statutes or other laws that protect personal privacy.”

The court also held that the “Access or Disclosure of Confidential or Personal Information” exclusion applied. The policy’s “Access or Disclosure of Confidential or Personal Information” exclusion barred coverage for “‘[p]ersonal and advertising injury’ arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” Invoking the canons of ejusdem generis and noscitur a sociis, the insured argued that the alleged disclosure of biometric information did not fall within the scope of the exclusion. The court rejected the insured’s argument, holding that the textual canons apply “only if there is some doubt about the meaning of the terms used in a contract or statute.” The court ruled that “the mere fact that an exception conflicts with the coverage provision does not, in and of itself, make it ambiguous” and held that the textual canons of ejusdem generis and noscitur a sociis did not apply because the exclusion was unambiguous.