Violation-of-Law Exclusion Defeats Duty to Defend BIPA Lawsuit
The Appellate Court of Illinois, First District, applying Illinois law, has held that two general liability insurers do not owe a duty to defend an insured in a lawsuit alleging Biometric Information Privacy Act (BIPA) violations because coverage for the BIPA suit was barred by the violation-of-law exclusion. The Nat’l Fire Ins. Co. v. Visual Pak Co., No. 2020 CH 06897 (Ill. App. Ct. Dec. 19, 2023). The court also held that the insurers were not estopped from asserting that the exclusion applied on account of their alleged delayed acknowledgement of the insured’s notice.
A temporary employee of the insured brought a lawsuit in 2018 against the insured alleging BIPA violations. The lawsuit alleged that the insured collected, stored, used, or disseminated the individual’s fingerprints, which were taken to monitor his working hours and then transferred to his employment agency for payroll, without his consent or any policies in place regarding retention and deletion of his fingerprints.
The insurers acknowledged a duty to defend in April 2020 but denied coverage the next month on the basis of the violation-of-law exclusion. The exclusion provided, in relevant part, that coverage did not apply to personal and advertising injury arising directly or indirectly out of any action or omission that violates or is alleged to violate the Telephone Consumer Protection Act, the CAN-SPAM Act of 2003, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act or “any federal, state or local statute, ordinance or regulation, other than [the enumerated Acts], that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” The insured settled the underlying suit and assigned its claims against the insurers to the claimant. The insurers filed a coverage action seeking a declaration that they did not owe a duty to defend.
In the ensuing coverage action, the claimant argued that the violation-of-law exclusion did not preclude coverage. The court disagreed and, though “mindful of a recent decision from the United States Court of Appeals for the Seventh Circuit, which reached the opposite conclusion under Illinois law,” held that the violation-of-law exclusion barred coverage.
Analyzing the violation-of-law exclusion using the ejusdem generis canon, which seeks to identify a common theme among a list of items, the court concluded that the common theme was that all statutes listed in the exclusion “share the common denominator of protecting personal privacy.” The court also found “significance in the title” of the exclusion (“Recording and Distribution of Material or Information in Violation of Law”), which “hint[ed] at a theme of privacy.” Because BIPA protects personal privacy, the court determined that alleged BIPA violations were included within the exclusion’s catchall provision.
The court dismissed arguments that the “broad sweep” of the exclusion effectively rendered the personal and advertising injury coverage for an alleged “injury . . . arising out of . . . oral or written publication, in any manner, of material that violates a person’s right of privacy” illusory, observing that the exclusion would not preclude coverage for common law causes of action for invasion of privacy.