The United States Court of Appeals for the Seventh Circuit, applying Illinois law, has held that an exclusion for claims arising out of any access to or disclosure of any person’s “confidential or personal information” bars coverage for a claim arising out of the unlawful collection and disclosure of handprints in violation of the Biometric Information Privacy Act (BIPA). Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., 102 F.4th 438 (7th Cir. 2024). The Court also held that exclusions for “Statutory Violation,” “Data Breach Liability,” and “Employment-Related Practices” did not bar coverage for the BIPA claim.
The insured allegedly required its hourly workers to use handprints to clock in and out of work without their consent, and it used a third party to process the data. This led to a claim against it for violation of BIPA. The insured sued its insurer when the insurer declined to defend. The district court concluded that an exclusion in the primary and excess policies rendered those coverages inapplicable to the BIPA claim. That exclusion precluded coverage for claims “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.” The Seventh Circuit agreed that the exclusion barred coverage for the BIPA claim, reasoning that the ordinary understanding of “confidential or personal information” includes handprints and any other biometric identifiers usable for identity theft.
The insured’s umbrella policy lacked an exclusion relating to nonpublic information. The district court held that none of the three exclusions identified by the insurer under the umbrella policy was “so clear” that it foreclosed a duty to defend. The Seventh Circuit agreed. Specifically, relying on prior Illinois Supreme Court precedent in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 183 N.E.3d 47 (Ill. 2021), the Court declined to apply the “Statutory Violation Exclusion” to bar coverage. The Court also determined that the “Data Breach Liability Exclusion” was inapplicable because “the body of this exclusion must be understood to match its caption – that is, to situations in which hackers obtain access to personal information.” Finally, the Court found that the “Employment-Related Practices Exclusion” – which applied to employment-related practices “directed towards” a person – did not bar coverage because the insured’s practice of taking its employees’ handprints was not “directed towards” any given worker.
[View source.]
