Illinois - Commercial General Liability Coverage - Personal and Advertising Injury Claim
In Am. Family Mut. v. Carnagio Enter. (March 30, 2022), the Northern District of Illinois found a CGL insurer owed no duty to defend in relation to an underlying claim grounded in the Illinois Biometric Information Privacy Act due to the policy’s Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability exclusion.
An employee of Carnagio Enterprises, Inc. (“Carnagio”), a McDonald’s franchisee in Illinois, filed a 2019 class action lawsuit alleging the company’s practice of requiring employees to clock in and out of shifts using a fingerprint scanner violated the Illinois Biometric Information Privacy Act (“BIPA”).
Carnagio purchased CGL coverage from American Family Mutual Insurance Company (“American Family”) for the years 2015 to 2020 and from Austin Mutual Insurance Company (“Austin Mutual”) for the 2020 to 2021 period. Carnagio tendered the BIPA claim under these policies, but the insurers rejected coverage and eventually filed a declaratory judgment suit.
The insurers’ CGL policies provided coverage for “personal and advertising injury,” and all parties to the coverage suit agreed in deference to W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc. (May 20, 2021) that the underlying BIPA claim fell within its definition. The coverage dispute focused on the applicability of several exclusions to the CGL coverage.
The Parties’ Arguments
The insurers contended they owed Carnagio no duty to defend since the Employment-Related Practices exclusion and Distribution Of Material In Violation Of Statutes exclusion (“Violation of Statutes exclusion”) each applied to the underlying BIPA claim. Further, Austin Mutual argued the Access Or Disclosure Of Confidential Or Personal Information And Data-Related Liability exclusion (“Access Or Disclosure exclusion”) in its policy applied to obviate coverage.
Carnagio countered that these exclusions did not apply to the BIPA claim. It alleged Carnagio’s fingerprinting policy was not the type of “employment-related practice” encompassed by the Employment-Related Practices exclusion. Carnagio also claimed the BIPA is not one of the statutes addressed by the Violation Of Statutes exclusion. Finally, Carnagio argued the Access Or Disclosure exclusion should be interpreted narrowly based on interpretive canons like noscitur a sociis.
The District Court’s Decision
In analyzing the policy exclusions at issue, the court set as a baseline that “a single unequivocal exclusion is sufficient to show that an insurer does not have a duty to defend the insured.” It then addressed the Employment-Related Practices exclusion. The opinion observed that “courts in this district are split” on the exclusion’s application to BIPA claims. It pointed to the divergence in findings regarding the exclusion in Am. Fam. Mut. Ins. Co. v. Caremel, Inc., (N.D. Ill. 2022) (excluding coverage) as against State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enters., Inc., (N.D. Ill. 2022) (finding coverage).
The court examined whether Carnagio’s practice of requiring employees to “clock in and out using their handprints was an ‘employment-related practice’” under the exclusion. It found it was not, since it read the exclusion to refer to employer actions in relation to a single employee rather than its general workforce. The court also decided a claim arising from an employer-employee relationship is only excluded if it involves “an action related to an employee’s performance.”
Second, the court turned to the Violation Of Statutes exclusion, which precluded coverage for injuries arising out of, among other things, “[a]ny statute, ordinance or regulation, other than the [Telephone Consumer Protection Act] or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.” The court reasoned that only violations of laws “like the TCPA and the CAN-SPAM Act” are excluded.
The opinion distinguished between the BIPA and the TCPA and CAN-SPAM Act and found the exclusion inapplicable. The court reasoned that, while all three of the statutes are focused on privacy, the BIPA “protects privacy by regulating the information that private citizens give away,” while the other two statutes “give private citizens control over the information that they receive.”
Third, the court turned to the Access Or Disclosure exclusion. It made coverage unavailable for claims for personal and advertising injury:
arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.
The court concluded the exclusion’s reference to “any access” clearly and unambiguously ascribed it a “broad meaning.”
In the absence of an ambiguity in the exclusion’s language, the court refused Carnagio’s request for the court to apply the same interpretive canons addressed by the court in the State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enters. case (also summarized in this month’s Update). In addition, it concluded that even if the canons ejusdem generis or noscitur a sociis applied, they would not rule out application of the Access Or Disclosure exclusion here since Carnagio was unable to explain why biometric information does not constitute “personal” information.
The court, therefore, concluded the underlying BIPA claim allegations clearly fell within the Access Or Disclosure exclusion and so obviated Austin Mutual’s duty to defend. The underlying lawsuit sought “damages arising out of a third-party’s access to or Carnagio’s disclosure of [the claimant’s] personal information.” The court decided those allegations matched the exclusion’s reference to “any access to or disclosure of … personal information.” As such, it granted summary judgment to Austin Mutual but not to American Family (whose policy did not include the Access Or Disclosure exclusion).
Conclusion
The court analyzed three CGL policy exclusions in the context of an underlying BIPA claim and found two inapplicable and one capable of defeating coverage. The Northern District of Illinois’ decision in this case, coupled with other recent decisions issued from the same District, indicates the law with respect to coverage for privacy-related claims under CGL policies is still evolving.
