(Article from Insurance Law Alert, April 2020)
For more information, please visit the Insurance Law Alert Resource Center.
An Illinois appellate court ruled that allegations that the policyholder shared customers’ fingerprint data with a single third-party vendor was a “publication” triggering a duty to defend under the Personal and Advertising Injury coverage provision. W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 WL 1330494 (Ill. Ct. App. Mar. 20, 2020).
A putative class action alleged that the policyholder violated the Biometric Information Privacy Act by sharing copies of customers’ finger print scans with a third-party vendor without customer consent. West Bend sought a declaration that it had no duty to defend or indemnify the claims, arguing that the complaint did not allege covered Personal and Advertising Injury claims and that coverage was barred by a violation of statutes exclusion. An Illinois trial court disagreed and granted the policyholder’s summary judgment motion, and the appellate court affirmed.
The Personal and Advertising Injury provision covered claims arising out of the “oral or written publication of material that violates a person’s right to privacy.” The central issue in dispute was whether the policyholder’s disclosure of fingerprint scans to a single vendor satisfied the “publication” requirement. The court held that it did, rejecting West Bend’s assertion that publication requires dissemination to the public at large.
Additionally, the court ruled that the violation of statutes exclusion did not bar coverage. The exclusion applied to injuries “arising directly or indirectly out of any action or omission that violates or is alleged to violate” the TCPA, CAN-SPAM Act of 2003, or “any statute, ordinance or regulation . . . that prohibits or limits the sending, transmitting, communication or distribution of material or information.” West Bend argued that the exclusion applied because the Biometric Act provides that a private entity may not “disclose, redisclose or otherwise disseminate a person’s or a customer’s biometric identifier or biometric information.” Rejecting this contention, the court held that the exclusion “is meant to bar coverage for the violation of a very limited type of statute.” The court reasoned that the title of the exclusion—“Violation of Statutes That Govern E-Mails, Fax, Phone Calls or Other Method of Sending Material or Information”—makes it clear that the exclusion “applies to statues that govern certain methods of communication . . . not to other statutes that limit the sending or sharing of certain information.”