The Illinois Supreme Court recently sided with a policyholder seeking defense from its insurer for a lawsuit brought by a customer of a tanning salon alleging the insured unlawfully disclosed the customer’s biometric information to a third party.
In the written opinion delivered in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan Inc., Justice P. Scott Neville Jr. explained that Krishna Schaumburg Tan Inc. (Krishna), a tanning salon and franchisee of L.A. Tan, had been sued by customer Klaudia Sekura who claimed that Krishna had violated provisions of Illinois’ Biometric Information Privacy Act (Act), which “regulates the collection, retention, disclosure, and destruction of biometric identifiers and information.”
Illinois enacted the law in 2008; it recognizes the uniqueness of biometric identifiers such as retina or iris scans, fingerprints, voiceprints, palm prints and face geometry. It requires private entities to publicly disclose their policies regarding biometric information and obtain consent from individuals for the use of such information. In January 2020, Facebook agreed to pay $550 million to Illinois users of the social media site that had alleged in a class action lawsuit that Facebook’s facial recognition feature violated their privacy under the Illinois law.
Krishna had collected Sekura’s and other customers’ fingerprints. Sekura’s suit alleged that Krishna violated the act by disclosing “biometric information containing her fingerprints ‘to an out-of-state third party vendor, SunLync,'” without her permission. Krishna filed a claim with its insurer, West Bend Mutual Insurance Co. (West Bend), requesting a defense. “West Bend filed a declaratory judgment action against Krishna and Sekura contending that it did not owe a duty to defend Krishna against Sekura’s lawsuit,” Neville wrote.
Krishna filed a cross-motion for summary judgement, which Sekura joined seeking “alternative relief.” Both the trial and appellate courts found that West Bend had a duty to defend Krishna. The insurer appealed to the Illinois Supreme Court, which supported the decisions of the lower courts.
Secura filed a class action lawsuit that encompassed other customers affected by Krishna’s alleged actions. In a three-part complaint, Secura alleged that Krishna: (1) collected and disclosed customers’ biometric information without first obtaining a written release; (2) was unjustly enriched by failing to comply with the act; and (3) was negligent “when it breached its duty of reasonable care by violating the Act.”
Sekura sought the return of money paid for Krishna’s services and $1,000 in statutory damages for each of Krishna’s alleged violations.
Krishna had purchased two businessowners’ liability policies from West Bend; the first was effective from Dec. 1, 2014, through Dec. 1, 2015, and the second was in effect from Dec. 1, 2015, through Dec. 1, 2016.
In its filing for declaratory judgment, West Bend asserted that the complaint filed against Krishna did not fall within the policies’ coverage for personal injury or advertising injury, and that alternatively, the violations of statutes exclusions in the policies bars the insurer from having to provide coverage.
West Bend also argued that the personal and/or advertising injury alleged in the complaint does not trigger coverage under the policies because it contends the information was disclosed to single party (SunLync). Such a disclosure could not be considered as being a publication of the information, West Bend argued.
West Bend also “maintained that the policies’ violation of statutes exclusion applies and bars coverage to Krishna for the Sekura lawsuit because Sekura’s allegations clearly fall within the violation of statutes exclusion,” the court’s opinion states.
West Bend’s policies didn’t define the term “publication,” the court noted. However, in its filings the insurer contended that West Bend “‘publication’ refers to the communication or distribution of information to the public.”
Because the term “publication” was not defined in the policies, the court reviewed dictionary definitions of the term, as well as those in insurance law, privacy treatises and common law, concluding that in all cases “publication” can mean “both communication to a single party and communication to the public at large.” Thus, the court considered the term “publication” in West Bend’s policies to be ambiguous and should be interpreted against the insurer that drafted the policy.
“Right of privacy” also was not defined in West Bend’s policies, the court found. However, the right to privacy has been recognized by courts as including “primary privacy interests: seclusion and secrecy,” the opinion states.
The Illinois Act “protects a secrecy interest—here, the right of an individual to keep his or her personal identifying information like fingerprints secret.” Therefore, the opinion states: “Sekura’s assertion that Krishna shared her biometric identifiers and information with SunLync alleges a potential violation of Sekura’s right to privacy within the purview of West Bend’s policies.”
The court also took issue with West Bend’s assertion that the violation of statutes exclusion applies in the case against Krishna. It noted that the appellate court in examining West Bend’s policies had “found the violation of statutes exclusion is meant to bar coverage for the violation of ‘statutes that govern certain methods of communication, i.e., e-mails, faxes, and phone calls,'” but not to “other statutes that limit the sending or sharing of certain information,” such as the Illinois biometric information act.
The court ultimately concluded that the allegations in Sekura’s complaint fall within or potentially within” the coverage provided by West Bend’s policies and that “the violation of statutes exclusion in West Bend’s policies does not apply to the Act.”
It affirmed the judgments of the lower courts that “West Bend has a duty to defend Krishna in Sekura’s lawsuit.”
Was this article valuable?
Here are more articles you may enjoy.