Biometric data is an emerging trend, and jurisdictions around the nation have been enacting statutory schemes. These statutes are now getting tested, and we are starting to see a growing body of case law. On March 31, 2023, the court held that an insured was entitled to coverage for claimed expenses it incurred in an Illinois Biometric Information Privacy Act (“BIPA”) class action lawsuit.
In the case, Remprex, LLC v. Certain Underwriters at Lloyd's London, 2023 IL. App. (1st) 211097, Remprex sought coverage for costs it incurred in two BIPA class actions filed by truck drivers who claimed their privacy rights had been violated when their fingerprints were collected in order to access automatic railyard gates. The crux of the case was whether an alleged violation of BIPA triggered the media liability coverage under the policy. Remprex was never named as a defendant in the first action, so coverage was not owing. However, Remprex was a defendant in the second action, and the court held that they were entitled to their claim expenses under the policy’s Media Liability section, which applied to claims alleging a violation of an individual’s right to privacy during the “course of creating, displaying, broadcasting, disseminating or releasing media material to the public.”
But that's not all. Remprex's argument that the word "public" was an ambiguous term that should be interpreted to apply to the sharing of information between itself and any other entity was flatly rejected by the court. It ruled that coverage was not owed under the portion of the Media Liability section applying to the dissemination of material to the public because collecting truck drivers’ fingerprints was not tantamount to disseminating them to the public. Specifically, the court stated "We find that under the circumstances presented here, dissemination to the counterparty of the agreement to collect such information was not reasonably anticipated under the policy as 'public' information". Additionally, coverage was not owed under the policy’s Data & Network Liability section because collecting and storing fingerprints is not tantamount to a security breach, and no personally identifiable information was lost.
Finally, Remprex alleged that Lloyd's violated the Consumer Fraud Act by engaging in unfair and deceptive acts in the denial of their claim without any sufficient basis. To prove a violation of the Consumer Fraud Act a plaintiff must show:
- Defendant committed a deceptive act or practice
- Defendant intended for the plaintiff to rely on the deception
- The deception occurred in the course of conduct involving trade or commerce
- Plaintiff suffered actual damages, and
- Plaintiff's damages were proximately caused by the defendant's deceptive conduct. DOD Technologies v. Mesirow Insurance Services, Inc. 381 Ill. App.3d 1042, 1050-51 (2008).
In another losing argument for the plaintiff, the court found that Lloyd's had not participated in any bad faith or vexatious conduct in the handling of Remprex's claim as there was a valid dispute as to coverage.
This decision has important implications for insurance coverage of BIPA class actions and the interpretation of cyber policies. Legal and insurance professionals should take note of this important decision. WSHB is the industry leader in this area, and appreciates the opportunity to work with our clients by providing timely updates regarding critical developments in this area of law.