An insurer must defend a company charged with violating Illinois’ Biometric Privacy Act, but only after the company’s primary insurance limits are exhausted, a federal district court ruled.
New York-based Mitsui Sumitomo Insurance USA Inc. issued several insurance policies to Waukegan, Illinois-based Thermoflex Waukegan LLC, an industrial machinery and equipment company, including commercial general liability policies and excess and umbrella insurance policies, according to Thursday’s ruling by the U.S. District Court in Chicago in Thermoflex Waukegan LLC v. Mitsui Sumitomo Insurance USA Inc.
Gregory Gates sued Thermoflex in Illinois state court, alleging it had violated BIPA by requiring hourly workers to scan their handprints each time they clocked in and out of work, transmitting the data to a third party without authorization, and not providing them with a publicly available policy or identifying its retention schedule or procedures. Companies are required under BIPA to have a publicly available written policy establishing a retention schedule governing how long they retain the biometric data they collect and guidelines for its destruction.
After Mitsui refused to defend or indemnify Thermoflex in the lawsuit, both parties filed cross-motions for summary judgment.
Another district court judge previously held that Mitsui had no duty to defend or indemnify Thermoflex under its CGL policies and requested separate briefings on whether it had these duties under its excess and umbrella policies.
The district court, with a different judge considering the case, ruled Mitsui owes Thermoflex a duty to defend the company under its umbrella policies, which provide coverage for damages Thermoflex becomes legally obligated to pay for “personal and advertising injury” that is in excess of its self-insurance or other insurance coverage, subject to certain exclusions.
Discussing the statutory violation exclusion, the ruling said, “Without clear meaning for the text, or with the aid of canons of construction, the exclusion is ambiguous and must be construed in favor of coverage.”
The ruling also said the umbrella coverage’s data breach exclusion, “although limited to the data breach context,” must also be construed in favor of coverage.
Thermoflex attorney David B. Goodman, of the Goodman Law Group in Chicago, said in a statement the ruling “provides a clear analysis of why the statutory violation and employment related practices exclusions are either inapplicable or ambiguous and do not excuse the insurers from providing a defense for BIPA claims.”
The insurer’s attorneys did not respond to a request for comment.
In December, a federal district court in New York refused to dismiss a putative class-action lawsuit filed under BIPA against fashion designer Louis Vuitton in connection with its website’s eyeglass “Virtual Try-On” feature.