If your company utilizes standardized wordings, you’ve likely been asked, What editions are you up to, and if you’re not current, when can you catch up?

Indeed, using (or building off) the most recent standardized forms is the goal for many U.S. insurance product development teams. Yet, whether it’s due to lack of IT resources, filing backlogs, or competing priorities, many insurers consistently struggle to stay current with standardized forms, including timely implementation of mandatory endorsements.

In looking at some potential pitfalls of using prior edition forms or endorsements, this blog will examine several recent personal and advertising injury-related liability decisions involving the emerging risk of biometric privacy and the now all too familiar exposure related to data breach and disclosure of confidential information.

A Look at Two Decisions

May 2021 – Against the Insurer on Biometric Privacy
The first decision, from the Supreme Court of Illinois, involved personal and advertising injury-related coverage for an underlying class action against the insured, Krishna Schaumburg Tan - an Illinois-based tanning salon franchisee of LA Tans.¹ The underlying complaint alleged, in part, that the insured had violated the Illinois Biometric Information Privacy Act (BIPA), which includes a private right of action and addresses, among other things, the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information” (BIPA defines biometric identifiers to include a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry”).^2,3 According to the complaint, the insured allegedly violated BIPA by scanning and distributing its customers’ fingerprints without a “publicly available retention schedule or guidelines for permanently destroying its customers’ biometric identifiers and biometric information.”⁴

• According to language from the decision, the policies at issue were “businessowners policies,” issued annually from December 2014 through December 2016.
• The court ruled that the insurer had a duty to defend the BIPA allegations under the policies’ coverage for “[o]ral or written publication of material that violates a person’s right of privacy.”⁵ In doing so, the court found, among other things, that a pre-2008 exclusion in the policy entitled The Distribution of Materials in Violation of Statutes Exclusion did not apply to the BIPA allegations.
• Damages in this case are still pending. However, a similar BIPA class action against another LA Tan franchisee, filed by the very same plaintiff as this one in this case, settled for $1.5 million in 2016.⁶

July 2021 – Against the Insurer on Cyber Breach/Disclosure of Confidential Information
The next decision, from the 5th Circuit U.S. Court of Appeals, involved personal and advertising related coverage for underlying allegations of data breach/disclosure of confidential information against Landry’s Inc., a Texas-based insured engaged in the restaurant/hospitality industry.⁷

According to the underlying complaint, Landry’s allegedly allowed hackers to install a program into its credit card processing system. The program, over an approximate 18-month period (May 2014 through December 2015) extracted millions of Landry’s customers’ credit card-related information, some of which the perpetrators allegedly used for unauthorized purchases.

• In ruling on the coverage issues, the court found a duty to defend under the policies’ personal and advertising-related coverage for “oral or written publication, in any manner, of material that violates a person’s right of privacy.”⁸
• While the court did not identify the specific type of policies at issue in the case, the personal and advertising injury-related language addressed by the court does appear substantially similar to standard language issued by Insurance Services Office (ISO) and The American Association of Insurance Services (AAIS).
• Within the decision, the insurer did not advance arguments relating to, nor did the court address, any policy exclusions.
• Damages in this case are estimated at upwards of $20 million. As of summer 2021, the insurer had requested a rehearing of the court’s decision.⁹

Edition Dates and Mandatory Endorsements – Were the Policies Current?

A review of the Schaumburg Tan and Landry decisions indicates that the relevant policies, in part, likely did not substantially reflect the current standardized language available at the time.

As to Schaumburg Tan, the “businessowners policies” contained The Distribution of Materials in Violation of Statutes Exclusion. ISO revised this exclusion in 2008, via mandatory endorsement (ISO has since incorporated this revision into its underlying businessowners coverage form in 2010, and its general liability and commercial liability umbrella coverage forms in 2013). ISO renamed the exclusion The Recording And Distribution Of Material Or Information In Violation Of Law Exclusion; in doing so, ISO applied the exclusion to, among other things, statutes that address the “dissemination, disposal, collecting, recording” of material or information.¹⁰ As ISO did, AAIS began using a substantially similar mandatory exclusion in 2009 – before subsequently adding it to underlying liability-related coverage forms. For purposes of this article, we refer to the ISO and AAIS exclusions collectively as "The Recordings and Distribution Exclusion".

As to both decisions – and based on a lack of discussions in either case – the relevant policies also presumably did not contain any exclusion relating to access or disclosure of confidential or personal information. In this regard, in 2013 ISO filed mandatory Exclusion – Access or Disclosure of Confidential or Personal Information and Data Related Liability – With Limited Bodily Injury Exception. With respect to personal and advertising injury, this exclusion, in part, addresses the following:¹¹

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information…including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”

AAIS filed a similar, mandatory exclusion in 2014. For purposes of this article, we refer to the ISO and AAIS exclusions collectively as "The Access or Disclosure Exclusion".

Current Language = Different Outcomes?

As to whether The Recording and Distribution Exclusion would apply to allegations similar to those in Schaumburg Tan, at least one federal court in a recent decision (September 2021), has held that the exclusion does apply to BIPA allegations. In this ruling for the insurer, the court found that the carrier owed no duty to defend under its general liability and umbrella polices at issue, reasoning that:¹²

“Here, alleged violations of BIPA come directly within the scope of [The Recording and Distribution Exclusion]. This exclusion…applies to any statute that prohibits or limits “the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” BIPA regulates the retention, collection, disclosure, and destruction of biometric identifiers or biometric information. The language of the exclusion in this case, which bars the “collect[ion]” and “dissemination” of information, is consonant with BIPA’s prohibition against collection and disclosure of biometric identifiers and biometric information.”

In noting that it was applying North Carolina law rather than Illinois law, the court characterized the earlier edition exclusion in Schaumburg Tan as a “different exclusion” than its later revised/current edition.

As to whether The Access or Disclosure Exclusion would apply to allegations similar to those in Landry (concerning the publication of confidential credit card information), or whether it would apply to those in Schaumburg Tan (concerning BIPA violations for the dissemination of personal fingerprint information), we note that the exclusion does explicitly apply to, among other things, “any access to or disclosure of any person’s or organization’s confidential or personal information, including…financial information, credit card information, health information or any other type of nonpublic information.”¹³ With respect to court decisions actually addressing The Access or Disclosure Exclusion in the context of personal and advertising injury-related allegations, our cursory review found few relevant decisions. Yet, at least one recent decision (September 2021) applied The Access or Disclosure Exclusion, for the insurer, in a personal and adverting injury-related case under a commercial general liability policy.¹⁴ While this case did not involve a data breach, it did otherwise involve the alleged unauthorized disclosure of confidential information (proprietary business information). In applying the exclusion, the court found that the insurer had no duty to defend or indemnify its insured.

In Conclusion

Ultimately, the applicability of policy wording comes down to, among other things, a given jurisdiction’s decisions, the state law being applied, as well as the facts of the underlying claim. As such, unless/until there is a more comprehensive view of decisions on a given coverage issue, it is difficult to predict the likelihood of any given outcome. Nevertheless, with respect to BIPA and data breach/disclosure of confidential information, prior edition forms have thus far proved problematic in some cases, and there are decisions with outcomes that support the application of the current wordings.

Moreover, as current standardized text addresses additional issues – such as excluded liquor liability, designated premises limitations, and additional insured status – the real question becomes: Can insurers ultimately afford the cost of not staying current?

If you have questions or would like to discuss recent or upcoming ISO or AAIS changes, please reach out to your Gen Re account executive.

Endnotes

1. West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, 2021 Ill. LEXIS 430 (Illinois 2021)
2. 740 ILCS 14/10
3. In addition to Illinois, New York and California have BIPA type statutes providing private rights of action. Additionally, some 26 other States currently have BIPA modeled legislation pending, with only 5 of these states (Connecticut, Indiana, Minnesota, Montana and Utah) not providing for a private right of action. https://www.hklaw.com/en/insights/publications/2021/08/nyc-passes-biometric-data-protection-laws-aimed-at-businesses
4. Id. Note 1
5. Ibid.
6. https://cookcountyrecord.com/stories/511056103-l-a-tan-settles-fingerprint-scan-privacy-class-action-for-1-5m-attorneys-get-600k
7. Landry’s, Inc. v. Ins. Co. of the Pa., 2021 U.S. App. LEXIS 21668, 4 F.4th 366 (5th Circuit 2021)
8. Ibid.
9. Law 360
10. On the CGL, for example, the revised exclusion can be found in ISO CGL Coverage Form CG 00 01 04 13, at page 5, Exclusion q.
11. See ISO Endorsement CG 21 06 05 14
12. Mass. Bay Ins. Co. v. Impact Fulfillment Servs., LLC, 2021 U.S. Dist. LEXIS 182970, 2021 WL 4392061 (U.S.D.C. Middle District NC 2021)
13. CG 21 06 05 14
14. See, Great Am. Ins. Co. v. Beyond Gravity Media, Inc., 2021 U.S. Dist. LEXIS 175275, 2021 WL 4192738 (USDC SD Texas, September 2021)