No Duty to Defend BIPA Lawsuit Given Absence of Data Breach or Security Failure

The Appellate Court of Illinois, First District, applying Illinois law, has held that a cyber policy did not afford coverage for an underlying lawsuit alleging violations of the Biometric Information Privacy Act (BIPA) because the lawsuit did not include allegations of a “data breach” or “security failure” required to trigger coverage. Tony’s Finer Foods Enters., Inc. v. Certain Underwriters at Lloyd’s, London, No. 1-23-1712 (Ill. App. Ct. Sept. 10, 2024). The court also held that the policy’s unlawful collection exclusion served as an independent bar to coverage.

In 2018, a former employee of the insured grocery retailer filed a putative class action complaint against the retailer for alleged violations of BIPA. The complaint alleged that the retailer required its employees to scan their fingerprints into a timekeeping system to clock in and out of work shifts. The complaint further alleged that the retailer violated the requirements of BIPA by failing to publish a schedule for the deletion of the employees’ biometric data, failing to obtain employees’ written consent to collect their biometric data, and disclosing employees’ biometric data without consent. The retailer’s cyber insurer denied coverage on the grounds that the complaint did not trigger the policy’s coverage for loss resulting from “a data breach, security failure, or extortion threat.”

In the ensuing coverage action, the trial court held that the insurer owed a duty to defend because the allegations potentially fell within coverage. The appellate court disagreed. It held that the complaint did not include allegations that could be construed as giving rise to a “data breach” or “security failure.” First, it noted that a “data breach” required acquisition, access, or disclosure of employees’ information in a manner that is “unauthorized” by the retailer. The court found that the collection and dissemination of employees’ biometric information was either done by the retailer itself or by the retailer’s timekeeping vendor with the retailer’s authorization. Thus, it concluded that “the lawsuit does not allege that anyone obtained [] employees’ biometric data without [the retailer’s] authorization.” Second, the court determined that the lawsuit did not allege that the retailer failed to secure its computer systems, which was a prerequisite under the policy’s definition of “security failure.” Because the lawsuit did not allege either a “data breach” or “security failure,” the appellate court concluded that the retailer did not owe a duty to defend and reversed the trial court’s ruling.

Additionally, although the parties did not raise the issue on appeal, the court observed that the policy’s exclusion precluding coverage for “collection of information . . . without the knowledge or permission of the persons to whom such information relates” “precisely describe[d] the allegations of the underlying [BIPA] lawsuit.” The court held that the exclusion “clearly applie[d]” and independently barred coverage.