Exclusion for Disclosure of “Confidential or Personal Information” Bars Coverage for BIPA Claim Involving Collection and Disclosure of Handprints

The United States Court of Appeals for the Seventh Circuit, applying Illinois law, has held that an exclusion for claims arising out of any access to or disclosure of any person’s “confidential or personal information” bars coverage for a claim arising out of the unlawful collection and disclosure of handprints in violation of the Biometric Information Privacy Act (BIPA). Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., 102 F.4th 438 (7th Cir. 2024). The Court also held that exclusions for “Statutory Violation,” “Data Breach Liability,” and “Employment-Related Practices” did not bar coverage for the BIPA claim.

The insured allegedly required its hourly workers to use handprints to clock in and out of work without their consent, and it used a third party to process the data. This led to a claim against it for violation of BIPA. The insured sued its insurer when the insurer declined to defend. The district court concluded that an exclusion in the primary and excess policies rendered those coverages inapplicable to the BIPA claim. That exclusion precluded coverage for claims “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.” The Seventh Circuit agreed that the exclusion barred coverage for the BIPA claim, reasoning that the ordinary understanding of “confidential or personal information” includes handprints and any other biometric identifiers usable for identity theft.

The insured’s umbrella policy lacked an exclusion relating to nonpublic information. The district court held that none of the three exclusions identified by the insurer under the umbrella policy was “so clear” that it foreclosed a duty to defend. The Seventh Circuit agreed. Specifically, relying on prior Illinois Supreme Court precedent in West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 183 N.E.3d 47 (Ill. 2021), the Court declined to apply the “Statutory Violation Exclusion” to bar coverage. The Court also determined that the “Data Breach Liability Exclusion” was inapplicable because “the body of this exclusion must be understood to match its caption – that is, to situations in which hackers obtain access to personal information.” Finally, the Court found that the “Employment-Related Practices Exclusion” – which applied to employment-related practices “directed towards” a person – did not bar coverage because the insured’s practice of taking its employees’ handprints was not “directed towards” any given worker.

Categories

Practice Areas

Wiley Executive Summary

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek