Pre-Retroactive Date Conduct Forecloses Coverage for BIPA Lawsuit

December 3, 2025

The Appellate Court of Illinois, applying Illinois law, has held that a cyber insurer had no duty to defend or indemnify its insured where the alleged misconduct occurred prior to the policy’s retroactive date. Thornley v. Axis Ins. Co., 2025 WL 2938400 (Ill. App. Ct. Oct. 15, 2025)

The insured, an IT services company, allegedly purchased and immediately resold access to a facial recognition database. Unbeknownst to the insured, the database contained biometric identifiers and information. In May 2020, the insured was sued by a putative class of Illinois residents whose facial scans were collected in the database between January 3, 2020 and April 30, 2020. Plaintiffs alleged that the insured’s resale of the database violated the Illinois Biometric Information Privacy Act.

The insurer denied coverage for the class action, determining that the policy’s “Unlawful Use of Information” and “Violation of Statute” exclusions precluded coverage. The insured thereafter settled the underlying action and assigned its rights under the policy to plaintiffs and other class members.

In the ensuing coverage action, the insurer maintained that the two exclusions precluded coverage for the underlying action, but it also contended that the “wrongful act” or “enterprise security event”—i.e., the purchase and subsequent resale of the database—occurred two months prior to the policy’s February 20, 2020 retroactive date. In an attempt to sidestep the retroactive date issue, plaintiffs argued that the underlying acts were not deemed to have occurred until May 2020 (after the retroactive date), when the insured was served with the underlying complaint. 

The court rejected plaintiffs’ interpretation, finding that the “deemed to occur” language—found in the policy’s claims-reporting section—could not override the coverage section’s requirement that wrongful acts occur after the retroactive date. The court emphasized that claims-made policies insure against the risk of a claim being made against an insured during the policy period, while retroactive date provisions eliminate exposure for acts that predate the policy’s effective date but remain undiscovered or cause no immediate harm. Accordingly, the court held that the “wrongful act” and “enterprise security event” occurred when the company purchased and resold the database in December 2019, before the retroactive date, such that coverage was unavailable for the underlying action. Because the court concluded that the retroactive date issue was dispositive, it did not address the applicability of the exclusions.

Practice Areas

Wiley Executive Summary

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek