The Appellate Court of Illinois, First District, Sixth Division, has upheld the lower court ruling that an insurer must defend a nail salon that has been charged with sending a client's fingerprints to a third-party vendor in a violation of the Illinois Biometric Information Privacy Act (BIPA). The case is W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834.
In April 2016, Klaudia Sekura filed a proposed class action complaint against Krishna Schaumburg Tan, Inc., a franchisee of L.A. Tan Enterprises Inc. In the complaint, Sekura noted that new Krishna clients are enrolled in a national membership database allowing the clients to use their membership at any L.A. Tan location. In order to sign up, Krishna required Sekura to provide a scan of her fingerprint. Despite the fact that Sekura was never asked to sign a written release to allow the salon to disclose that biometric fingerprint data to a third party, the fingerprint data was sent to a third-party, SunLync Software Inc.
West Bend Mutual Insurance Company provided Krishna with coverage, including coverage for personal injury, and agreed to defend Krishna subject to a reservation of rights, and sought a declaration for no duty to defend from the state circuit court. That court found that Sekura's claims fell within the provided coverage for personal injury because giving her fingerprints to a third-party constituted a "publication which violates a person's right to privacy."
In front of a three-judge panel, West Bend cited an earlier case and argued that the term "publication" in the policy required communication of the information to the public at large and not a single third party, so the facts of this case indicate that there was no publication. The panel disagreed with this argument, noting that dictionary definition and common understanding of the term "publication" includes sharing the information broadly with a large number of people, but also a more limited sharing of information with a single third-party. Had the insurer, who has control over the policy provisions, intended for the term publication to be interpreted as only communication of information to a large group of people, it should have specified so in the policy language.
Next, West Bend argued that since giving the fingerprint data to the third-party was a violation of BIPA, the policy provision that excludes coverage for violations of statutes should apply. The panel also rejected this argument, noting that the full title of the exclusion is "Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Method of Sending Material or Information." The panel noted that the exclusion applied to bar coverage for violations of statutes governing communication, and BIPA says nothing about communication, instead, it regulates the collection, handling, and use, among other things, of biometric identifiers and information.
So, West Bend had a duty to defend Krishan against the underlying suit. The panel did find, though, that there was a bona fide dispute over coverage, and thus Krishna was not entitled to attorney fees and costs.
Editors Note: Once again, we see a case of policy term ambiguity. As is the typical reaction by the courts, we saw the panel, in this case, determine in favor of the insured. Since insurers have control of the contents of the insurance contract, if a term within such a contract is found to be ambiguous, it is generally found in favor of the insured.