Opinion
No. 23-1521 No. 23-1578
05-17-2024
THERMOFLEX WAUKEGAN, LLC, Plaintiff-Appellant, Cross-Appellee, v. MITSUI SUMITOMO INSURANCE USA, INC., Defendant-Appellee, Cross-Appellant.
David B. Goodman, Attorney, Carrie E. Davenport, Attorney, Goodman Law Group, Chicago, IL, for Plaintiff-Appellee in 23-1521. Richard Homer Nicolaides, Jr., Attorney, Mark John Sobczak, Attorney, Daniel I. Graham, Jr., Attorney, Jonathan T. Viner, Attorney, Nicolaides Fink Thorpe Michaelides Sullivan LLP, Chicago, IL, for Defendant-Appellant in 23-1521. David B. Goodman, Attorney, Carrie E. Davenport, Attorney, Goodman Law Group, Chicago, IL, for Plaintiff-Appellant in 23-1578. Richard Homer Nicolaides, Jr., Attorney, Mark John Sobczak, Attorney, Daniel I. Graham, Jr., Attorney, Jonathan T. Viner, Attorney, Nicolaides Fink Thorpe Michaelides Sullivan LLP, Chicago, IL, for Defendant-Appellee in 23-1578.
Appeals from the United States District Court for the Northern District of Illinois, Eastern Division. No. 21 C 788 — John Z. Lee and Thomas M. Durkin, Judges. David B. Goodman, Attorney, Carrie E. Davenport, Attorney, Goodman Law Group, Chicago, IL, for Plaintiff-Appellee in 23-1521. Richard Homer Nicolaides, Jr., Attorney, Mark John Sobczak, Attorney, Daniel I. Graham, Jr., Attorney, Jonathan T. Viner, Attorney, Nicolaides Fink Thorpe Michaelides Sullivan LLP, Chicago, IL, for Defendant-Appellant in 23-1521. David B. Goodman, Attorney, Carrie E. Davenport, Attorney, Goodman Law Group, Chicago, IL, for Plaintiff-Appellant in 23-1578. Richard Homer Nicolaides, Jr., Attorney, Mark John Sobczak, Attorney, Daniel I. Graham, Jr., Attorney, Jonathan T. Viner, Attorney, Nicolaides Fink Thorpe Michaelides Sullivan LLP, Chicago, IL, for Defendant-Appellee in 23-1578. Before Flaum, Easterbrook, and Pryor, Circuit Judges. Easterbrook, Circuit Judge.
Thermoflex Waukegan required hourly workers to use handprints to clock in and out. This led to a claim that doing so without workers' written consent, and using a third party to process the data, violated the Biometric Information Privacy Act, 740 ILCS 14/1 to 14/20 (BIPA or the Act). Thermoflex had multiple insurance policies in force during the years in question, including three from Mitsui Sumitomo Insurance. We call these the Basic, Excess, and Umbrella policies. Mitsui declined to defend or indemnify Thermoflex, leading to this suit under the diversity jurisdiction. (The litigation between Thermoflex and its workers is in state court.)
Before his appointment to this court, Judge Lee concluded that an exclusion in the Basic policy renders it inapplicable to any claim based on the Act. 595 F. Supp. 3d 677 (N.D. Ill. 2022). The exclusion provides that the insurance
does not apply to [claims] arising out of any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.Judge Lee thought its application straightforward: the Act identifies biometric information as confidential ("nonpublic"), see 740 ILCS 14/10, 14/15(e)—and, although the effect of the exclusion depends on the meaning of the policy rather than the meaning of the Act, the ordinary understanding of "confidential or personal information" includes handprints and other biometric identifiers usable for identity theft.
Illinois enforces unambiguous language in insurance policies. See, e.g., Sanders v. Illinois Union Insurance Co., 2019 IL 124565 ¶23, 441 Ill.Dec. 542, 157 N.E.3d 463. Thermoflex maintains that this policy is ambiguous because the exclusion mentions patents, which are public. True, the list contains mismatched items. But how does this create ambiguity about either the opening phrase ("any person's or organization's confidential or personal information") or the catchall ("any other type of nonpublic information")? Sticking one blue item into a list that begins "all red items including . . ." and closes "plus anything pink" does not nullify the language's application to ruby-colored things. See, e.g., CSX Transportation, Inc. v. Alabama Department of Revenue, 562 U.S. 277, 295, 131 S.Ct. 1101, 179 L.Ed.2d 37 (2011) (explaining that the ejusdem generis canon does not limit general language just because items in a list are dissimilar).
Thermoflex also relies on Citizens Insurance Co. v. Wynndalco, 70 F.4th 987 (7th Cir. 2023), which holds that, under Illinois law, an exclusion for coverage of claims based on "laws, statutes, ordinances, or regulations, that address, prohibit or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information" does not apply to a claim under BIPA. Wynndalco concluded that a broad reading of this exclusion would nullify coverages expressly provided elsewhere in the policy. It did not take long for a state appellate court to hold that Wynndalco misunderstood Illinois law and that such a clause in an insurance policy indeed blocks coverage of claims under BIPA. National Fire Insurance Co. v. Visual Pak Co., 2023 IL App (1st) 221160, — Ill.Dec. —, — N.E.3d —. We need not try to predict whether the Supreme Court of Illinois is more likely to follow Visual Pak than to follow Wynndalco. It is enough that the exclusion in this policy does not have the flaw that led to the decision in Wynndalco. It leaves plenty of room for coverage of the main insured hazards.
That's all we need to say about the Basic policy.
The Excess and Umbrella policy has two parts. Coverage E (for "Excess") contains the same exclusions as the Basic policy, because it incorporates all limitations in the Basic policy. District Judge Durkin, who handled the case after Judge Lee was appointed to this court, held that Coverage E does not apply to claims under the Act. 2023 U.S. Dist. LEXIS 9282 at *10-12 (N.D. Ill. Jan. 19, 2023). Because we agree with Judge Lee's understanding of the Basic policy, we also agree with this aspect of Judge Durkin's understanding of Coverage E, which means that the Excess coverage drops out.
Coverage U (for "Umbrella") lacks an exclusion relating to nonpublic information. (It does not matter what Coverage U includes; the parties agree that it covers BIPA claims unless something excludes coverage.) Judge Durkin found that none of the three arguably applicable exclusions to Coverage U is so clear that it forecloses a duty to provide Thermoflex with a defense in the state-court suit. Id. at *12-29. This federal case is about the duty to defend, not the duty to indemnify. (It would be premature to consider indemnity, as the underlying litigation has not been resolved. See Lear Corp. v. Johnson Electric Holdings Ltd., 353 F.3d 580 (7th Cir. 2003).) In Illinois genuinely ambiguous provisions are construed in favor of coverage. See, e.g., Rich v. Principal Life Insurance Co., 226 Ill. 2d 359, 371, 314 Ill. Dec. 795, 875 N.E.2d 1082 (2007).
The parties call the first of these exclusions the "Statutory Violation Exclusion". It blocks coverage of matters
arising directly or indirectly out of violations of or alleged violations of:
(1) the Telephone Consumer Protection Act (TCPA), including any amendments
thereto, and any similar federal, state, or local laws, ordinances, statutes, or regulations;Thermoflex maintains that this is another exclusion of the kind we addressed in Wynndalco; Mitsui asks us to overrule Wynndalco in light of Visual Pak. But we put both Wynndalco and Visual Pak aside and instead ask, as Judge Durkin did, how West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, 451 Ill.Dec. 1, 183 N.E.3d 47, applies to an exclusion with this structure.
(2) the CAN-SPAM Act of 2003, including any amendments thereto, and any similar federal, state, or local laws, ordinances, statutes, or regulations;
(3) the Fair Credit Reporting Act (FCRA), including any amendments thereto, such as the Fair and Accurate Credit Transaction Act (FACTA), and any similar federal, state, or local laws, ordinances, statutes, or regulations; or
(4) any other federal, state, or local law, regulation, statute, or ordinance that restricts, prohibits, or otherwise pertains to the collecting, communicating, recording, printing, transmitting, sending, disposal, or distribution of material or information.
The exclusion in Krishna blocked coverage of:
(1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law; orThe Supreme Court of Illinois held that the third part of this exclusion—"[a]ny statute . . . that prohibits or limits the sending [etc.] of material or information"—did not apply to BIPA claims. True, that Act "limits" the use of biometrics in the sense that it requires the consent of the person whose information is involved. But the Supreme Court of Illinois did not see this as similar to the two listed statutes, and, applying the ejusdem generis canon, it held that clause (3) of this exclusion deals only with statutes that are like the first two in some way. Deeming BIPA unlike TCPA and CAN-SPAM (whose scope we need not elaborate), Krishna held the exclusion too uncertain in scope to foreclose coverage of BIPA maXers. 2021 IL 125978 ¶¶ 55-59, 451 Ill.Dec. 1, 183 N.E.3d 47.
(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law; or
(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.
The Statutory Violation Exclusion to Coverage U in Thermoflex's policy begins with the same two statutes as the policy in Krishna and adds a third, the Fair Credit Reporting Act. One need not get beyond the name of that statute to see how different it is from BIPA. In this diversity suit, we are bound by the way the Supreme Court of Illinois has treated language structured like the Statutory Violation Exclusion, so we agree with the district court that this exclusion from Coverage U does not apply to BIPA.
The next arguably applicable exclusion bears the caption "Data Breach Liability". It provides that the policy does not cover
1) . . . [loss] arising out of disclosure of or access to private or confidential information belonging to any person or organization; or
2) any loss, cost, expense, or "damages" arising out of damage to, corruption of, loss of use or function of, or inability to access, change, or manipulate "data records".
This exclusion also applies to "damages" for any expenses incurred by "you" or
others arising out of 1) or 2) above, including expenses for credit monitoring, notification, forensic investigation, and legal research.Like the district court, we think that the body of this exclusion must be understood to match its caption—that is, to situations in which hackers obtain access to personal information. Although BIPA surely involves "disclosure of" information, its principal concern is disclosure to Thermoflex (and its contractors), not to hackers who get data from Thermoflex. The reference to credit monitoring expenses and forensic investigation drive home the point that the "data breach" caption accurately describes the scope of this exclusion. The meaning of all language depends on context rather than isolated phrases, and the language of this exclusion as a whole shows that it does not apply to all violations of BIPA.
We grant that, if Thermoflex and contractors do not have workers' biometric information, it is less likely to be available to hackers. Inadequate control of biometric information that leaks out could violate BIPA, which requires entities that collect biometric information to keep it confidential. The data-breach exclusion would apply to situations in which hackers obtained biometric information from Thermoflex. That's not what the underlying state suit is about, however.
This brings us to the third exclusion, which the parties call the "ERP exclusion" (for "employment-related practices"). This bars coverage of injury arising out of:
a) refusal to employ that person;Parts (a) and (b) of this exclusion don't have anything to do with BIPA claims. Mitsui relies on part (c), observing that collecting and processing handprints to determine how much time an employee spends at work is an "employment-related practice[ ]". Granted. But is that practice "directed towards" any given worker? Like the district court, we understand "directed towards that person" as identifying acts that are employee-specific—much as parts (a) and (b) are employee (or applicant) specific. A general policy requiring all hourly workers to place their hands on a scanner is an employment-related practice but is not "directed towards" any given employee. It is just a term or condition of employment, and this exclusion taken as a whole is not concerned with the terms and conditions of employment.
b) termination of employment of that person; or
c) coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, malicious prosecution, discrimination, sexual misconduct, or other employment-related practices, policies, acts, or omissions directed towards that person[.]
As far as we can see, the Illinois judiciary has yet to address how language such as the Data-Breach Liability exclusion and the ERP exclusion applies to claims under BIPA. In the absence of an authoritative decision, our understanding of all three exclusions has been informed by Krishna.
The Umbrella policy provides for defense and indemnity only after underlying insurance (and deductibles, which the policies call self-insured retentions) has been exhausted. This opinion does not address indemnity. Because Thermoflex has at least one other policy that applies to the BIPA claims, see Citizens Insurance Co. v. Thermoflex Waukegan, LLC, 588 F. Supp. 3d 845 (N.D. Ill. 2022), the duty to defend does not begin until the limits of that policy (plus deductibles) have been exhausted. With that proviso—which is part of the district court's decision and judgment, see 2023 U.S. Dist. LEXIS 9282 *31-32 —we hold that Mitsui owes Thermoflex a defense under the Umbrella policy.
AFFIRMED