In Wynndalco, 7th Circuit Hands Another Win to Policyholders Facing BIPA Claims

Policyholders in Illinois – or anywhere else, if they are seeking insurance coverage for alleged violations of Illinois’ Biometric Information and Privacy Act (BIPA) – should find comfort in a recent Seventh Circuit decision upholding a federal district court’s finding that an insurance company has a duty to defend its policyholder accused of BIPA violations. The decision in in Citizens Ins. Co. of Am. v. Wynndalco Enterprises LLC, 22-2213, 2023 WL 4004766 (7th Cir. June 15, 2023), reinforced Illinois courts’ propensity to deliver policyholder victories in suits seeking insurance coverage for alleged violations of BIPA.

In Wynndalco, a unanimous three-judge panel found that a catch-all coverage exclusion was intractably ambiguous and, thus, injuries alleged in the underlying action potentially fell within the policy’s coverage grant. In light of the proliferation of cases alleging violations of biometric privacy laws, companies should familiarize themselves with the policy language that courts have been looking to in resolving biometric coverage claims, as well as review their own policies to safeguard against being barred from future recovery. As this decision illustrates, the particular wording of an insurance policy’s statutory exclusion could be critical to obtaining coverage for a major class action. 

BIPA class action lawsuits have proliferated in Illinois, and Wynndalco provides an example of insurance company efforts to rely on exclusions to avoid coverage. 

Illinois was the first state in the nation to enact biometric data privacy legislation when it enacted BIPA in 2008. BIPA essentially codified an individual’s right to privacy with respect to their biometric identifiers and biometric information. Most notably from a liability point of view, BIPA creates a private right of action for individuals subjected to BIPA violations and provides statutory damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation. The appeal facing the Seventh Circuit in Wynndalco stemmed from Citizens Insurance Company of America’s assertion that it had no duty to defend or indemnify its policyholder, Wynndalco, in the underlying class actions alleging BIPA violations.  

The underlying litigation involved two putative class actions alleging that Wynndalco, an Illinois-based information technology services and consulting firm, violated BIPA. The factual allegations from the two complaints assert that Clearview AI, an artificial intelligence firm that specializes in facial recognition software, allegedly extracted or “scraped” in excess of three billion photographs of individuals from online social media, content-sharing, and digital payment platforms to create a database of facial scans. Wynndalco is alleged to have purchased and subsequently resold access to Clearview AI’s database to the Chicago Police Department for a profit, in violation of BIPA. 

At the time of the resale, Wynndalco had business owner’s insurance coverage through Citizens that provided liability coverage for “personal and advertising injury.” This insurance, in relevant part, provides coverage for injury arising out of “oral or written publication, in any manner, of material that violates a person’s right of privacy.” Citizens did not dispute that Wynndalco’s conduct as alleged in the complaints fell within the policy’s definition of “personal and advertising injury.” However, Citizens alleged that coverage was barred by a catch-all exclusion of coverage for acts or omissions that transgress “[a]ny other laws, statutes, ordinances, or regulations, that address, prohibit, or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” 

The Seventh Circuit refuted Citizens’ argument in holding that a catch-all exclusion for violation of communications-related statutes did not preclude coverage for BIPA claims. 

Citizens contended that the exclusion applies only to statutory causes of action related to privacy, thus limiting its reach and making it applicable to BIPA claims. Citizens noted that the exclusion specifically cites to four enumerated statutes, all of which regulate privacy in some way, and argued that even the narrower scope of the exclusion still would bar coverage for claims arising from BIPA violations. 

In response, the court noted that there was no mention of “privacy” in the language of the exclusion and that Citizens was asking the court to presume that the language of the catch-all provision means something other than what its terms ordinarily would suggest on their face. The Seventh Circuit found that the catch-all provision was ambiguous and upheld the district court’s conclusion that the catch-all exclusion effectively negated coverage that the policy purportedly provided for violations of privacy. The unanimous three-judge panel concluded:

We agree with the district court that this conflict between the competing policy provisions granting and excluding coverage gives rise to an ambiguity: the broad language of the catch-all exclusion purports to take away with one hand what the policy purports to give with the other in defining covered personal and advertising injuries. 

The court further considered whether resorting to textual canons, ejusdem generis in particular,would result in a plausible, narrower reading of the catch-all provision that would nonetheless encompass an injury resulting from a violation of BIPA. Ejusdem Generis counsels that, “[w]here general words follow specific words …, the general words are usually construed to embrace only objects similar in nature to those objects enumerated by the preceding specific words.” Yates v. United States, 574 U.S. 528, 545 135 S. Ct. 1074, 191 L.Ed.2d 64 (2015). “Under the ejusdem generis doctrine, when a statutory clause specifically describes several classes of persons or things and then includes ‘other persons or things,’ the word ‘other’ is interpreted to mean ‘other such like.’” People v. Davis, 199 III.2d 130, 262 Ill. Dec. 721, 766 N.E.2d 641, 645 (Ill. 2002). In Wynndalco, the question was whether the broad language of the catch-all provision could be given a more focused scope by locating a common element, privacy, among the four statutes cited within the provision. 

Despite Citizens’ argument that the harmonizing factor among the statutes listed in the exclusion was that they all address privacy, the court held that the cited statutes encompass two distinct types of privacy: seclusion and secrecy. Thus, only by referencing privacy at a high level of generality could one potentially find a common thread among the included statutes. Because there is nothing in the language of the exclusion that points to privacy as the focus of the exclusion, the court concluded that the catch-all exclusion, on its face, would eliminate coverage for a number of statutory injuries that the policy purported to cover, thus giving rise to an ambiguity. As a result, the injuries alleged in the BIPA class action complaints at least potentially fall within the coverage of the Citizens policy, making Citizens liable to defend Wynndalco against the BIPA claims.

Wynndalco has positive implications for policyholders. 

Wynndalco is just one of the increasing number of cases that Illinois courts have decided in which insurance companies attempted to exclude BIPA claims from coverage through improperly broad interpretations of exclusions. Policyholders in Illinois, and across the country, should work with brokers and experienced coverage counsel to review existing policy terms and assess whether courts in their jurisdiction have found coverage for claims alleging violations of biometric privacy laws despite such policy exclusions. Further, policyholders would be wise to review their new or renewal policy terms and be wary of any effort by insurance companies to insert more specific exclusionary language in an effort to limit coverage for these claims going forward.