The Illinois Supreme Court has affirmed a lower court decision and held that an insurer is obligated to defend a tanning salon that is being sued by a customer who claims the salon violated the Illinois Biometric Information Act. The case is W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc. 2021 IL 125978.
Klaudia Sekura purchased a membership from Krishna Schaumburg Tan Inc., giving her access to L.A. Tan's tanning salons. The membership required Sekura to provide Krishna with her fingerprints. Sekura filed a class-action lawsuit against Krishna alleging that Krishna violated the Act when it "systematically and automatically collected, used, stored, and disclosed their [customers'] biometric identifiers or biometric information without first obtaining the written release required by 740 ILCS 14/15(b)(3)." The complaint alleged that Krishna Tan systematically disclosed the Class's biometric identifiers and information to an out-of-state vendor. The complaint also alleged that Krishna Tan did not provide a publicly available retention schedule or guidelines for permanently destroying its customers' biometric identifiers and information as specified by the Act.
Sekura alleged that Krishna was unjustly enriched because it failed to comply with the Act, and that Krishna should not be able to keep the money Sekura paid, and that Krishna was negligent when it breached the duty of reasonable care by violating the Act.
Sekura was seeking relief of statutory damages of $1,000 for each of Krishna's violations of the Act.
West Bend issued two businessowners' liability policies to Krishna consecutively covering from Dec 1, 2014 to December 1, 2016. West Bend advised Krishna in a letter that it would provide a defense under a reservation of rights, believing that Sekura's suit was not covered by the policies.
West Bend filed a declaratory judgment action and alleged that Sekura's complaint did not come within the policies' coverage for personal injury or advertising injury because the complaint did not allege a publication of material that violates a persons right to privacy. The action also alleged, in the alternative, that the policies' violations of statutes exclusion applies and bars West Bend from having to provide coverage for Krishna for the lawsuit.
Krishna filed a countercomplaint alleging that the suit fell within West Bend's coverage, and the second count asserted statutory bad faith and vexatious and unreasonable conduct and alleged no allegation of a "personal injury" and that the Data Compromise endorsement did not apply and had no good faith basis in fact or in law.
The Illinois Supreme Court said in its ruling that Sekura's complaint fell within, or potentially within, the two business owners' liability policies because the underlying complaint alleged that Sekura had suffered a nonbodily personal injury or advertising injury in the form of emotional upset, mental anguish and mental injury.
The court also said that Krishna's alleged sharing of the biometric information with its vendor, even though it was the sole outside recipient of the information, was a "publication" within the purview of the policies, and that the sharing of the fingerprint information potentially violated Sekura's right to privacy. The court also said an exclusion in the coverage for violation of statutes did not apply to BIPA.
The court agreed with earlier rulings by a trial and an appeals court that West Bend was obligated to defend Krishna.
Editor's Note: BIPA requires businesses that store biometric information to inform the subjects in writing that the biometric information is being collected or stored, and the purpose and duration for which it is being collected. The subject's written consent must be collected. Several other states have enacted comparable legislation but only Illinois law currently permits a private right of action. In other states, litigation must be filed by regulators or state attorneys general.