ARTICLE
1 October 2024

No Duty To Defend BIPA Lawsuit Given Absence Of Data Breach Or Security Failure

WR
Wiley Rein

Contributor

Wiley is a preeminent law firm wired into Washington. We advise Fortune 500 corporations, trade associations, and individuals in all industries on legal matters converging at the intersection of government, business, and technological innovation. Our attorneys and public policy advisors are respected and have nuanced insights into the mindsets of agencies, regulators, and lawmakers. We are the best-kept secret in DC for many of the most innovative and transformational companies, business groups, and nonprofit organizations. From autonomous vehicles to blockchain technologies, we combine our focused industry knowledge and unmatched understanding of Washington to anticipate challenges, craft policies, and formulate solutions for emerging innovators and industries.
The Appellate Court of Illinois, First District, applying Illinois law, has held that a cyber policy did not afford coverage for an underlying lawsuit alleging violations...
United States Illinois Privacy

The Appellate Court of Illinois, First District, applying Illinois law, has held that a cyber policy did not afford coverage for an underlying lawsuit alleging violations of the Biometric Information Privacy Act (BIPA) because the lawsuit did not include allegations of a "data breach" or "security failure" required to trigger coverage. Tony's Finer Foods Enters., Inc. v. Certain Underwriters at Lloyd's, London, No. 1-23-1712 (Ill. App. Ct. Sept. 10, 2024). The court also held that the policy's unlawful collection exclusion served as an independent bar to coverage.

In 2018, a former employee of the insured grocery retailer filed a putative class action complaint against the retailer for alleged violations of BIPA. The complaint alleged that the retailer required its employees to scan their fingerprints into a timekeeping system to clock in and out of work shifts. The complaint further alleged that the retailer violated the requirements of BIPA by failing to publish a schedule for the deletion of the employees' biometric data, failing to obtain employees' written consent to collect their biometric data, and disclosing employees' biometric data without consent. The retailer's cyber insurer denied coverage on the grounds that the complaint did not trigger the policy's coverage for loss resulting from "a data breach, security failure, or extortion threat."

In the ensuing coverage action, the trial court held that the insurer owed a duty to defend because the allegations potentially fell within coverage. The appellate court disagreed. It held that the complaint did not include allegations that could be construed as giving rise to a "data breach" or "security failure." First, it noted that a "data breach" required acquisition, access, or disclosure of employees' information in a manner that is "unauthorized" by the retailer. The court found that the collection and dissemination of employees' biometric information was either done by the retailer itself or by the retailer's timekeeping vendor with the retailer's authorization. Thus, it concluded that "the lawsuit does not allege that anyone obtained [] employees' biometric data without [the retailer's] authorization." Second, the court determined that the lawsuit did not allege that the retailer failed to secure its computer systems, which was a prerequisite under the policy's definition of "security failure." Because the lawsuit did not allege either a "data breach" or "security failure," the appellate court concluded that the retailer did not owe a duty to defend and reversed the trial court's ruling.

Additionally, although the parties did not raise the issue on appeal, the court observed that the policy's exclusion precluding coverage for "collection of information . . . without the knowledge or permission of the persons to whom such information relates" "precisely describe[d] the allegations of the underlying [BIPA] lawsuit." The court held that the exclusion "clearly applie[d]" and independently barred coverage.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More