Invasion of Privacy Exclusion Bars D&O Coverage for BIPA Suit But EPL Coverage Potentially Applies

The United States District Court for the Central District of Illinois, applying Illinois law, has held that an invasion of privacy exclusion precluded D&O coverage for underlying suits alleging violations of the Illinois Biometric Privacy Act (BIPA) because the underlying plaintiffs’ injuries would not have occurred but for the insured company’s collection and use of employees’ data without their consent.  Twin City Fire Ins. Co. v. Vonachen Servs., Inc., 2021 WL 4876943 (C.D. Ill. Oct. 19, 2021).  The court also held that a breach of contract exclusion did not bar EPL coverage because the company could have incurred liability under BIPA even in the absence of a contract with its employees.

Two employees filed putative class action lawsuits against an insured company alleging various BIPA violations.  The complaints alleged that the company required its workers to use their fingerprints in its biometric tracking and timekeeping system; used, collected, and stored employees’ fingerprints without their informed consent; and failed to inform the employees of the specific purpose and length of time such data would be retained and used.  The company’s timekeeping requirements were listed in its employee handbook.

In the ensuing coverage litigation, the court held that an invasion of privacy exclusion barred D&O coverage.  The exclusion precluded coverage for “Loss . . . in connection with any Claim based upon, arising from, or in any way related to any actual or alleged . . . invasion of privacy.”  The court found that the phrase “invasion of privacy” included both common law and statutory violations because Illinois case law previously established BIPA violations as invasions of privacy, and that the phrase “arising out of” triggered a “but-for” test.  Because none of the underlying plaintiffs’ alleged injuries would have occurred “but for” the company’s acts of collecting, using, and retaining of employees’ data without their consent, the court concluded that the exclusion barred coverage.  The court also held that an insured v. insured exclusion did not apply because the underlying suits, in which the underlying plaintiffs provided information for investigation into BIPA violations, fell within a “whistleblowing” exception.

The court held that the insurer had a duty to defend under the EPL coverage part because the underlying complaints alleged invasions of privacy that occurred “at work, for work purposes (timekeeping), and as a result of the employer/employee relationship.”  The court also held that a breach of contract exclusion did not preclude the insurer’s duty to indemnify under the EPL coverage part.  The exclusion precluded coverage for “Loss in connection with any Claim based upon, arising from, or in any way related to liability incurred for breach of any oral, written, or implied employment contract,” but provided an exception for “liability that would have been incurred in the absence of such contract[.]”  Because the company could be liable under BIPA regardless of whether they could be liable under the employee handbook, the court concluded that the exception applied.

Tags

Wiley Executive Summary

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek