Society Insurance Stuck Defending Insured In Biometric Privacy Class Action

Notwithstanding the deluge of data breach and internet eavesdropping privacy cases, companies also continue to face an onslaught of biometric privacy actions under statutes like the Illinois Biometric Information Privacy Act (BIPA). The Central District of California’s recent decision in Society Insurance v. Cermak Produce No. 11, Inc. serves a reminder of the importance for companies to review and seek insurance coverage when defending against privacy-related class action litigation.

Cermak Produce No. 11, Inc. (Cermak), the defendant in this case, had been sued by a former employee in an underlying case for allegedly violating the Illinois Biometric Information Privacy Act (BIPA) by, amongst other things, failing to disclose to employees the purpose or duration for which it retained personal identifying information and by disclosing employees’ biometric information to its timekeeping vendor without consent (Underlying Action). Cermak’s insurer, Society Insurance, filed a federal declaratory judgment action seeking a declaration that it did not have an obligation to defend or indemnify Cermak in the Underling Action. Society Insurance sought judgment on the pleadings, arguing that their policies excluded coverage for the alleged BIPA violations under their Recording Exclusion, Disclosure Exclusion, and the Employment-Related Practices Exclusion.

The Recording Exclusion, according to the plaintiff, excluded coverage for any violation of any federal, state, or local statute that addresses, prohibits, or limits the distribution of material or information, and named certain specific privacy statutes like the TCPA and CAN-SPAM Act. The plaintiff contended that BIPA fell squarely within this exclusion. The court, however, found that while the claims in the Underlying Action involved an alleged invasion of practice, the Recording Excluding was ambiguous when considered in its totality with respect to BIPA and the specific nature of the claims in the Underlying Action. The broad nature of the exclusion conflicted with the policy’s inclusive nature, creating an ambiguity that the court had to resolve in favor of Cermak.

Next, the Disclosure Exclusion barred coverage for “personal and advertising injury” arising out of any access to or disclosure of any person’s confidential or personal information. Society Insurance argued that the alleged BIPA violations constituted “personal” injury as the disclosed information was biometrically unique to each individual and fell within the exclusion’s “catch all” for “any other type of nonpublic information.” However, the court found that the exclusion encompassed disparate types of information, none of which expressly mentioned privacy. Without an identifiable theme, the “catch-all” phrase of the Disclosure Exclusion could not be narrowed, and the court could not apply the exclusion to the alleged BIPA violations.

Finally, the Employment-Related Practices Exclusion was the third provision under scrutiny. This exclusion precluded coverage for any employment-related practices, including the timekeeping practices alleged in the Underlying Lawsuit. However, using similar principles as to the earlier exclusions, the court concluded that the types of employment-related practices that were excluded (e.g., harassment, discrimination, etc.), were not of a similar nature of the claims in the Underlying Action, and that a broader construction would effectively eliminate coverage that the policies “purport to cover elsewhere.”

The court concluded that, at a minimum, Society Insurance had a duty to defend Cermak in the Underlying Lawsuit, though the issue of indemnification remains to be determined. This case underscores the importance of a thorough understanding of insurance policies and their exclusions, particularly in relation to privacy laws like BIPA.

For businesses, this case serves as a reminder to review their insurance policies and understand the extent of their coverage, especially in relation to privacy and data protection laws. Legal advice should be sought to understand the potential risks and liabilities associated with their operations. As the legal landscape continues to evolve, staying informed and proactive is the best defense.

For more information on this topic, contact David M. Krueger at dkrueger@beneschlaw.com or 216.363.4683.