By: Katherine Vu, Volume 107 Staff Member
Insurance companies are the new plaintiffs taking center stage in recent litigation under the Illinois Biometric Information Privacy Act (BIPA). Enacted in 2008, BIPA aims to protect individuals by regulating the collection and dissemination of their biometric data by private entities. BIPA also includes a private right of action for individuals aggrieved by a violation of the Act, which has led to a series of high-profile class action lawsuits over the years. BIPA litigation is costly for defendants, and many of those defendants have tendered claims to their insurers, seeking indemnification for the crippling damage expenses. The three most popular types of insurance policies these claims fall under are: “commercial general liability (CGL) policies, employment practices liability policies, and cyber insurance policies.” This blog explores the extensive case law surrounding BIPA insurance coverage disputes and the vital role courts play in holding insurers accountable to their duties to indemnify and defend their policyholders.
I. A NEW FRONTIER FOR BIPA LITIGATION
Insurance companies have recently begun challenging their duties to indemnify policyholders involved in BIPA litigation by arguing that certain exclusions provided in the insured’s policy plan specifically exempt coverage. “Exclusions” are sections in standard insurance policies that exempts coverage for certain acts, losses, and injuries. In the context of BIPA, when a plaintiff sues a defendant for alleged violations of the Act, the defendant may ask their insurance company to defend them in court and indemnify them for losses. Insurers may avoid this duty to provide coverage by proving to a court that their policyholder’s action—which caused the BIPA plaintiff’s injury—is exempt from coverage because it falls under one of the insurance policy’s exclusions for certain acts. Two standard policy exclusions: (1) the violations of statutes exclusion, and (2) the employer practices exclusion, have been subject to litigation by insurers seeking exemption from coverage for BIPA suits. Despite best efforts put forth by insurers seeking to deny coverage for insured defendants, courts have consistently held that insurers must provide coverage for their policyholders involved in BIPA lawsuits.
II. THE ART OF USING EXCLUSIONS TO EXCLUDE INSURANCE COVERAGE
A. Violation of Statutes Exclusion
One of the primary exclusions included in a majority of insurance policies is the violation of statutes exclusion which bars coverage for injuries arising out of alleged statutory violations. For instance, in West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc, the court reviewed a statutory exclusion that precluded coverage for: “[a]ny…statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.”
In West Bend, an insurance company disputed its duty to defend a policyholder against a BIPA class action suit, arguing that coverage was precluded by an exclusion in the insurance policy that barred coverage for statutory violations. West Bend argued that coverage was barred for BIPA litigation because it fell within the meaning of “other methods” as provided by the policy’s exclusion for “Violation of Statutes that Govern E-Mails, Fax, Phone Calls or Other Methods of Sending Material or Information.” Because the violation of statutes provision did not specifically list BIPA, the court assessed whether the “other than” language was intended to exclude statutes that regulated biometric data retention and information.  After finding that the only statutes included were those that regulated communication, the Illinois Supreme Court held the exception did not preclude insurance coverage for BIPA lawsuits because it was “not a statute of the same kind . . . since [BIPA] does not regulate methods of communication [like those other statutes], the violation of statutes exclusion [did] not apply.”
The court further noted that because the exclusion’s language was ambiguous as to whether BIPA was includable, it must be construed in favor of finding coverage for the policyholder. A prior case addressing whether statutory exclusions, like the violation of statues exclusion, may bar coverage reached a similar conclusion as in West Bend and emphatically stated that any ambiguities regarding whether a policy exclusion applied must be construed in the favor of the policyholder. The policyholder favorable approach taken by courts may serve a critical role in ensuring that BIPA damages are not so immense that they lead to complete economic ruin for a company by requiring insurers to adhere to their own policies of indemnification and defense.
B. Employer Practices Exclusion
With current litigation under the ‘violation of statutes doctrine’ overwhelmingly favoring policyholders, the employer practices exclusion (ERP) included in standard insurance policies also tends to favor policyholders, with some cases serving as notable exceptions. The ERP exclusion bars coverage for a number of injuries, including personal injuries, that arise from refusals to employ, employment dismissals, and any “employment related practices, policies, or omissions . . . .” When addressing the inapplicability of the ERP exclusion to bar BIPA insurance coverage, a court distinguished between the type of harm that arises from the specific employer practices enumerated in the ERP, and other employer related practices, such as “using a finger to clock-in” to work, stating the latter was not the type of “practice or policy” envisioned when including the ERP’s exclusion provisions.
In the context of BIPA litigation, the court in Compare Citizens Insurance Company of America v. Thermoflex Waukegan, LLC, emphasized that a company-wide policy requiring employees to provide their fingerprints does not share a “general similitude” as the kinds of injuries specifically enumerated in the ERP. This is especially noticeable when comparing injuries alleged under BIPA and the injuries enumerated under the ERP’s provisions, that include employer violations such as “coercion” and “harassment.” BIPA class action litigation highlights the reality that many allegations under BIPA do not claim any actual harm was committed against the plaintiff, but rather rely on procedural harm stemming from the statutory BIPA violation.
This distinction raises significant questions as to whether the enormous damages awarded to plaintiffs for purely procedural violations make the consequences of BIPA punitive rather than remedial, and what realities await BIPA defendants that are hit with those enormous penalties without assistance from insurers. In Church Mutual Insurance, S.I. v. Prairie Village Supportive, LLC, the court seemingly cast the decision in Thermoflex aside when holding that BIPA imposes responsibilities on private entities, including “employers” and therefore fell within the scope of ERP exclusions that barred coverage for certain statutory claims against employers. 
Despite the contrary holding, Church Mutual did not weaken the protections created for policyholders in West Bend, as the decision relied on an explicit exemption for “wrongful employment” practices included in the insurer’s policy. Church Mutual’s holding may further be distinguished from West Bend by noting that the court in West Bend refused to apply the violation of statutes exclusion included in the insurer’s policy plan because of ambiguities in the exclusion’s language, while the court in Church Mutual pointed to the unambiguous exclusion in the parties’ policy that exempted coverage for wrongful employment practices. Although Church Mutual’s holding may seemingly create a mechanism for insurers to avoid liability, it is important to note that this case is the exception, not standard, for the vast majority of insurance coverage disputes arising under BIPA.
By requiring insurance coverage for BIPA class action lawsuits, courts are not absolving businesses from the consequences of their actions. Rather, courts are offering temporary protections for businesses, enabling them to split hefty BIPA damage awards with their insurers who are paid to provide coverage for these exact kinds of scenarios. Until the Illinois legislature reconsiders the ambiguous provisions of BIPA, litigation in this area will continue to increase and the stakes involved will only become more costly for all parties involved.
The litigation landscape encompassing BIPA continues to be complex and divisive. The decision in West Bend established a precedent for holding insurers to the guarantees provided in their agreements with policyholders. However, given the increasing volatility in BIPA class action lawsuits, it is uncertain whether the pro-policyholder stance will remain, especially if the Illinois Supreme Court decides that damages may be calculated based on an accrual of violations. Although arguing for exclusions included in policy agreements may not have worked for insurers, remedies such as higher premiums or outright refusals to take on clients that have biometric systems may have further, unintended consequential burden on businesses across the state of Illinois.
 740 Ill. Comp. Stat. 14/15(b) (2008). See Justin O. Kay, BIPA Compliance and Litigation Overview, Thomson Reuters, Practical Law Practice Note w-026-4764, https://1.next.westlaw.com/Document/I7c26f5a2c2bf11eabea4f0dc9fb69570/View/FullText.html [https://perma.cc/P3YR-BN9R].
 See 740 Ill. Comp. Stat. 14/20; see also Bryant v. Compass Grp. USA, Inc., 958 F.3d 617, 619 (7th Cir. 2020); Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146, 1155–56 (7th Cir. 2020); Patel v. Facebook, Inc., 932 F.3d 1264, 1274 (9th Cir. 2019); Hannah Schaller, Kelsey Harclerode & Jeff Landis, BIPA Litigation in 2021: Where We’ve Been & Where We’re Headed, ZwillGenBlog, https://www.zwillgen.com/litigation/bipa-litigation-2021 [https://perma.cc/T8FB-US89].
 Rosenbach v. Six Flags Enter. Corp., 129 N.E.3d 1197, 1200 (Ill. 2019) (“The central issue in this case . . . is whether one qualifies as an ‘aggrieved’ person . . . if [they have] not alleged some actual injury or adverse effect, beyond violation of [their] rights under the statute.”) (alterations in original).
 See Abraham Jewett, Recent BIPA Class Actions, Settlements Highlight Data Privacy, TopClassActions (May 23, 2022), https://topclassactions.com/lawsuit-settlements/privacy/bipa/data-privacy-highlighted-in-recent-bipa-class-actions-settlements [perma.cc/CRD9-9BEV].
 Cothron v. White Castle Sys., Inc., 20 F.4th 1156 (7th Cir. 2021).
 Carolyn M. Branthoover, Jessica L. Moran & Elizabeth A. Hoadley, Biometric Privacy Statutes and Insurance Coverage: Recent Developments in Illinois and the National Landscape, K&L Gates (Aug. 29, 2022), https://www.klgates.com/Biometric-Privacy-Statutes-and-Insurance-Coverage-Recent-Developments-in-Illinois-and-the-National-Landscape-8-29-2022 [https://perma.cc/3K6Q-EUMD].
 See James M. Davis, Debra R. Bernard & Bradley Dlatt, Illinois Supreme Court Affirms BIPA Lawsuits Are Covered by GL Policies, PERKINS COIE (June 1, 2021), https://www.perkinscoie.com/en/news-insights/illinois-supreme-court-affirms-bipa-lawsuits-are-covered-by-gl-policies.html [https://perma.cc/4JA3-39ZB].
 Id. at 61; see also W. Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 183 N.E.3d 47, 49–51 (Ill. 2021); Citizens Ins. Co v. Thermoflex Waukegan, No. 20-CV-05980, 2022 WL 602534, at *8 (N.D. Ill. Mar. 1, 2022); State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enters., 2022 No. 20-CV-6199, 2022 WL 683688 (N.D. Ill. Mar. 8, 2022).
 See Peter Halprin & Tae Andrews, Insurance Coverage for Illinois BIPA Ruling, BiometricUpdate.com (June 27, 2022), https://www.biometricupdate.com/202206/insurance-coverage-for-illinois-bipa-ruling [perma.cc/GS39-5EYL].
 See Branthoover, Moran & Hoadley, supra note 6.
 See generally Halprin & Andrews, supra note 9 (explaining how exclusions are used by insurers to avoid coverage in BIPA lawsuits).
 See Charles Insler, Insurance Providers & BIPA Litigation: Are Insurers Obligated to Defend Their Insureds in BIPA Litigation?, HeplerBroom (Oct. 6, 2022), https://www.heplerbroom.com/blog/insurance-providers-bipa-litigation-are-insurers-obligated-to-defend-their-insureds-in-bipa-litigation/ [https://perma.cc/6XWC-88NL].
 See id.
 Krishna, 183 N.E.3d at 52.
 See id. at 49–51.
 Id. at 60.
 Id. at 59–61.
 Pipefitters Welfare Educ. Fund v. Westchester Fire Ins. Co., 976 F.2d 1037, 1039 (7th Cir. 1992) (citing U.S. Fid. & Guar. Co. v. Wilkin Insulation Co., 578 N.E.2d 926, 930 (Ill. 1991)) (holding that “[i]f a complaint . . . ‘states a claim that is within, or even potentially or arguably within, the scope of coverage provided by the policy,’ the Insurers must provide a defense”) (alterations in original).
 Courts consider a number of questions when deciding whether to apply an exclusion that would enable an insurer to bar coverage from its policyholder, such as “the high amount of damages involved,” “insured’s inability to pay . . . if found liable,” and “the likelihood that there [is] no other insurance coverage for the potential liability.” Citizens Ins. Co v. Thermoflex Waukegan, No. 20-CV-05980, 2022 WL 602534, at *8 (N.D. Ill. Mar. 1, 2022); see also Brief for Ill. Mfrs. Ass’n & Nat’l Ass’n of Mfrs. et al. as Amici Curiae Supporting Defendant-Appellant, Cothron v. White Castle System, Inc., 20 F.4th 1156 (7th Cir. 2021) (No. 128004) (explaining the detrimental effects of BIPA class action damages on small businesses in Illinois).
 Compare Thermoflex, 2022 WL 602534, at *6 (explaining how ERP’s provisions are ambiguous and thus should be construed in favor of the policyholder), with Am. Fam. Mut. Ins. Co., S.I. v. Caramel, Inc., No. 20-CV-637, 2022 WL 79868, at *10 (N.D. Ill. Jan. 7, 2022) (explaining how BIPA violations are similar to the enumerated employment-related practices in the insurance policy and granting summary judgment for insurance company).
 Thermoflex, 2022 WL 602534, at *2; see Andrew Barrios & John Vishneski, Employment-related Practices Exclusions and Biometric Information Privacy Act Litigation, Reed Smith (Nov. 30, 2021), https://www.policyholderperspective.com/2021/11/articles/employment-practices-liability/employment-related-practices-exclusions-and-biometric-information-privacy-act-litigation [perma.cc/TVH3-C4K4].
 State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enters., No. 20-CV-6199, 2022 WL 683688, at *5 (N.D. Ill. Mar. 8, 2022).
 Id. at *7
 Id. at *9.
 Thermoflex, 2022 WL 602534, at *4.
 Id. at *5.
 Id. at *4.
 See, e.g., Rosenbach v. Six Flags Enter. Corp., 129 N.E.3d 1197, 1207 (Ill. 2019) (“[A]n individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved person [under BIPA] . . . .’”) (alteration in original); see also Kenn Brotman, Erinn L. Rigney & Molly K. McGinley, No Harm, Still Foul: Actual Harm Not Required for PlaintiffsUnder Illinois Biometric Privacy Act, K&L Gates (Jan. 25, 2019), https://www.klgates.com/No-HarmFoul-Actual-Harm-Not-Required-for-Plaintiffs-Under-Illinois-Biometric-Privacy-Act [perma.cc/WK29-4UNU].
 See Emma Graham, Burdened by BIPA, 2022 U. Ill. L. Rev. 929, 946 (2022) (“Damages can grow exponentially and encumber businesses if available for multiple violations per person.”); see also Celeste Bott, High Court BIPA Ruling: Next, How Big Can Damages Get?, Law360 (Feb. 4, 2022), https://www.law360.com/articles/1461918 [perma.cc/W7U3-4C35].
 Compare Church Mut. Ins. Co. v. Prairie Vill. Supportive Living, LLC, 21 C 3752, 2022 WL 3290686, at *4 (N.D. Ill. Aug. 11, 2022) (explaining how the policy exclusion explicitly allows insurers to bar coverage for certain statutory violations), with Thermoflex, 2022 WL 602534, at *4 (explaining how a similarly worded provision is ambiguous and that “[u]nless an exception in the Policies unambiguously applies to preclude coverage, the Insurers must defend the [Policyholders]”).
 Church Mut., 2022 WL 3290686, at *3.
 Krishna, 183 N.E.3d at 24; Church Mutual, 2022 WL 3290686, at *4.
 See, e.g., Thermoflex, 2022 WL 602534, at *6; Joseph Stafford, Illinois Supreme Court Finds Insurer Has Duty to Defend BIPA Suit, Bloomberg L. (June 18, 2021), https://news.bloomberglaw.com/privacy-and-data-security/illinois-supreme-court-finds-insurer-has-duty-to-defend-bipa-suit [perma.cc/YHZ6-MZZA].
 740 Ill. Comp. Stat. 14/15(b) (2008).
 See Michael C. Andolina, Kathleen L. Carlson, Colleen T. Brown, Lawrence P. Fogel, Brian W. Tobin & Andrew F. Rodheim, Emerging Issues and Ambiguities Under Illinois’ Biometric Information Privacy Act, 37 Westlaw J. Comput. & Internet 1 (2020) (explaining increase in litigation surrounding BIPA and detailing several legal issues posed by the litigation).