BlogLine

No duty to defend finds Illinois Appellate Court under cyber policy for BIPA claim

11/11/24

By: Donald Patrick Eckler and Madeline M. Krolczyk

The Illinois Appellate Court, First District held the insurers in Tony’s Finer Foods Enterprises, Inc. v. Certain Underwriters at Lloyd’s London have no duty to defend their policyholder, Tony’s Finer Foods, against a class action lawsuit alleging violations of the Illinois Biometric Information Privacy Act, finding that the policies’ Cyber, Data Risk, and Media policy precludes coverage under Illinois law—2024 IL App (1st) 231712. In doing so, the court ruled that Lloyd’s had no duty to defend in the underlying lawsuit because the class action did not result from a data breach, security failure, or extortion threat.

An employee filed a class action against her employer, Tony’s Finer Foods, on December 19, 2018. In her complaint, she asserted that Tony’s failed to safeguard her private health data by requiring employee fingerprints to clock in and out of work and then storing the data with a third party, Kronos. She argued they violated BIPA by 1) failing to publish a deletion schedule of the employee files, 2) obtaining employees’ consent to collect the data, and 3) obtaining employees’ consent to disclose the data to Kronos and other third parties. More than 60 days after being served by the employee, Tony’s tendered the complaint to Lloyd’s, seeking defense in the lawsuit and indemnification. Lloyd’s declined coverage based on Tony’s failure to notify within the time period and because the claim did not fall within the policy for coverage.  

Both parties filed cross-motions for summary judgment, with Tony’s arguing that Lloyd’s had a duty to defend under a reservation of rights or had to seek a declaratory judgment that stated there was no duty to defend. The circuit court granted summary judgment in Tony’s favor, stating that the lawsuit could potentially fall within the policy coverage and therefore had a duty to defend. Lloyd’s then appealed.  

On appeal, the court reversed holding that the underlying lawsuit did not “even remotely fall within the policy’s coverage” and instead found that it was Tony’s own actions that allowed the data to be shared, not an unauthorized user. The court stated there was no evidence that Tony’s did not authorize the action. Tony’s argued that it should be covered by the policy because while they authorized Kronos to access or store the data, they did not authorize Kronos to access or store it in a non-compliant manner. The court disagreed, holding that the complaint did not allege anything regarding the security of the computer systems or any sort of third-party data usage that Tony’s did not authorize. The majority also applied an exclusion that precluded coverage for loss or damage based upon the collection of information without the knowledge or permission of the individual to whom the information relates. The majority analyzed this exclusion despite the parties not referencing the exclusion in the circuit court or on appeal.

In Justice Reyes’ dissent, he would have held that there was a potential duty to defend and criticized the majority for relying on an exclusion that was not raised by either party.  

This case is different from other cases involving claims for coverage under other BIPA lawsuits as this involved a cyber policy, not a CGL policy as was the case in National Fire Insurance Co. v. Visual Pak Co. Inc. (where the insurer had no duty to defend their policyholder against a lawsuit alleging violations of BIPA, finding that the policies’ Violation of Law exclusion precluded coverage), Citizens Insurance Co of America v. Wynndalco Enterprises (where the Seventh Circuit held an insurer did have to defend a BIPA class action because the policy’s exclusion was too broad), and Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc. (where the Seventh Circuit held that the primary policy did not “have the flaw that led to the decision in Wynndalco … [as it] leaves plenty of room for coverage of the main insured hazards). 

Tony’s decision continues the trend, starting with Visual Pak, toward courts applying Illinois law finding no coverage for BIPA lawsuits.  

For more information on the topic, contact Donald Patrick Eckler at patrick.eckler@fmglaw.com, Madeline M. Krolczyk at madeline.krolczyk@fmglaw.com, or your local FMG relationship partner.