On September 10, 2024, the Illinois First District Appellate Court provided the insurance industry with another victorious decision – this time, in the cyber liability insurance context. In Tony’s Finer Foods Enterprises, Inc. v. Certain Underwriters at Lloyd’s, London, 2024 IL App (1st) 231712, the First District found that an insurer did not have a duty to defend its policyholder Tony’s Finer Foods Enterprises, Inc. with respect to a Biometrics Information Privacy Act (“BIPA”) claim because the allegations of the underlying action did not give rise to a “data breach” or “security failure” under a Cyber, Data Risk, and Media Insurance policy.
Facts
The Underlying Action
The Tony Finer Foods decision arose from a dispute between Certain Underwriters at Lloyd’s, London (“Lloyd’s”) and its insured Tony’s Finer Foods Enterprises, Inc. (“Tony’s). Tony’s required employees to scan their fingerprints to clock in and out of work. Employees used fingerprint recognition software provided by a timekeeping company called Kronos, which also maintained a database of employees’ fingerprints. The class action plaintiff Charlene Figueroa was an employee of Tony’s from March 8, 2017 to September 17, 2018. Figueroa alleged that Tony’s violated BIPA by failing to publish a schedule for the permanent deletion of employees’ biometric data, failing to obtain employees’ consent to the collection of their biometric data and failing to provide a written disclosure explaining why and for how long Tony’s retained their biometric data and failing to obtain employees’ consent to disclose their biometric data to Kronos and other unknown third parties.
Declaration Judgment Action Procedural History
Lloyd’s provided two policies to Tony’s, both titled “Cyber, Data Risk and Media Insurance”. Tony’s tendered the BIPA Action to Lloyd’s. Lloyd’s denied the tender based upon a late notice argument. Tony’s filed a declaratory judgment action against Lloyd’s. The parties cross-moved for summary judgment.. Lloyd’s argued that Tony’s failed to provide notice of the underlying action during the appropriate policy period and that the allegations of the underlying action did not even potentially fall within the coverage provision of the insurance policy. The circuit court granted summary judgment in Tony’s favor. The court found that Lloyd’s had a duty to defend Tony’s because the underlying action potentially fell within the policy’s coverage. The court also found that Lloyd’s was estopped from asserting policy defenses because Lloyd’s failed to defend Tony’s in the underlying action and failed to file a declaratory action. Lloyd’s appealed the ruling.
Analysis
First District Ruling
The First District noted that the insurance policy at issue provided coverage for loss incurred by Tony’s resulting from “a data breach, security failure, or extortion threat”. The Court concluded that the allegations of the underlying action did not even potentially fall within the policy’s coverage. The Court determined that the definitions of “data breach” and “security failure” do not include Tony’s alleged violations of BIPA via its own collection, use, storage or dissemination of employees’ biometric data. As the Court noted, a data breach requires access to employee data that is unauthorized by Tony’s. The underlying action did not allege that anyone obtained Tony’s employees’ biometric data without Tony’s authorization. On the contrary, the underlying action alleged that Tony’s and Kronos collected, stored, used and disseminated employees’ biometric data.
Further, the Court found that the underlying action did not allege that Tony’s or Kronos failed to secure their computer systems. The Court pointed out that the underlying action said nothing at all about the security of Tony’s or Kronos’ computer systems.
In reaching its decision, the Court cited to Remprex, LLC v. Certain Underwriters at Lloyd’s London, 2023 IL App (1st) 211097 in which the First District also held that another BIPA underlying complaint contained no allegations that an unauthorized third party accessed individual’s personal information and shared it with the public.
The Court also cited to an exclusion in the Lloyd’s policies which precluded coverage for loss or damage based upon the insured’s collection of information without the knowledge or permission of the person to whom such information relates. The Court found that this exclusion precisely described the allegations of the underlying action.
Learning Point: The Tony’s Finer Foods decision solidifies insurers’ position that BIPA claims do not fall within cyber liability policies because they do not involve the collection of employee data that is unauthorized by the employer. In fact, the BIPA claims typically state the opposite – that the employers knowingly obtained the employees’ data in violation of BIPA. Thus, BIPA claims do not trigger cyber liability policies. Tony’s Finer Foods is the second First District decision finding that no coverage exists for BIPA claims under cyber liability policies.
Original source can be found here.