Opinion
1-23-1712
09-10-2024
TONY'S FINER FOODS ENTERPRISES, INC., Plaintiff-Appellee, v. CERTAIN UNDERWRITERS AT LLOYD'S, LONDON, Subscribing to Policy Nos. MPL2183838.18 and MPL2183838.19, Defendants-Appellants.
Geoffrey J. Repo, of Gordon Rees Scully Mansukhani LLP, of Chicago, for appellants. Eamon P. Kelly and Clayton Faits, of Sperling & Slater LLC, of Chicago, for appellee.
Appeal from the Circuit Court of Cook County. No. 22 CH 9420 Honorable Joel Chupack, Judge, presiding.
Geoffrey J. Repo, of Gordon Rees Scully Mansukhani LLP, of Chicago, for appellants.
Eamon P. Kelly and Clayton Faits, of Sperling & Slater LLC, of Chicago, for appellee.
PRESIDING JUSTICE VAN TINE delivered the judgment of the court, with opinion. Justice D.B. Walker concurred in the judgment and opinion.
Justice Reyes dissented, with opinion.
OPINION
VAN TINE, PRESIDING JUSTICE
¶ 1 Defendants Certain Underwriters at Lloyd's, London, subscribing to policy Nos. MPL2183838.18 and MPL2183838.19 (Lloyd's), appeal from the circuit court's grant of summary judgment in favor of plaintiff Tony's Finer Foods Enterprises, Inc. (Tony's). The circuit court ruled that Lloyd's has a duty to defend Tony's in an underlying class action filed against Tony's by its employees, which alleges violations of the Biometric Information Privacy Act (Act) (740 ILCS 14/1 et seq. (West 2018)). On appeal, Lloyd's argues that it has no duty to defend Tony's because (1) the allegations of the underlying Act lawsuit do not even potentially fall within the coverage of the insurance policy at issue and (2) Tony's did not timely report the underlying Act lawsuit to Lloyd's. For the following reasons, we reverse and remand with directions that the circuit court enter summary judgment in Lloyd's favor on the issue of duty to defend.
¶ 2 I. BACKGROUND
¶ 3 A. The Underlying Act Lawsuit
¶ 4 On December 19, 2018, Charlene Figueroa filed a class action lawsuit against Tony's and on April 19, 2019, she filed the amended complaint that is relevant to this appeal. Figueroa alleged that she worked for Tony's from March 8, 2017, to September 17, 2018. During that time, Tony's required employees to scan their fingerprints to clock in and out of work. Employees used fingerprint recognition software provided by a timekeeping company called Kronos, which also maintained a database of employees' fingerprints. Figueroa alleged that Tony's violated the Act by failing to (1) publish a schedule for the permanent deletion of employees' biometric data (id. § 15(a)), (2) obtain employees' consent to the collection of their biometric data and provide a written disclosure explaining why and for how long Tony's retained their biometric data (id. § 15(b)), and (3) obtain employees' consent to disclose their biometric data to Kronos and other unknown third parties (id. § 15(d)(1)). Figueroa served Tony's in the underlying Act lawsuit on January 8, 2019. Tony's tendered the Act complaint to Lloyd's on March 22, 2019, seeking defense and indemnification in the underlying lawsuit pursuant to two insurance policies that Tony's purchased from Lloyd's.
Figueroa's original and amended complaints are largely the same, but the amended complaint controls because it does not refer to or adopt the original complaint. See Eberhardt v. Village of Tinley Park, 2024 IL App (1st) 230139, ¶ 86 (citing Bowman v. County of Lake, 29 Ill.2d 268, 272 (1963)). The primary difference between the two pleadings is that the original complaint alleged one count for violation of the Act and one count for negligence whereas the amended complaint alleges three counts for violation of the Act and no negligence count.
Figueroa has never named Kronos as a defendant.
¶ 5 B. The Insurance Policies
¶ 6 Lloyd's issued two insurance policies to Tony's, both titled "Cyber, Data Risk, and Media Insurance." The first policy ran from March 15, 2018, to March 15, 2019 (2018 policy), and the second policy ran from March 15, 2019, to March 15, 2020 (2019 policy). The two policies are essentially identical except for the periods of time they covered, so we will discuss them as a single policy unless a distinction between the two is necessary.
¶ 7 Relevant here, the policy provides coverage for "loss incurred by [Tony's] *** resulting from a data breach, security failure, or extortion threat that first occurs on or after the retroactive date and is discovered by [Tony's] during the policy period." Loss includes "claim expenses, damages, and PCI fines and assessments because of a claim made against [Tony's]." The policy sets out the following definitions:
"Data breach means the acquisition, access, or disclosure of personally identifiable information or confidential corporate information by a person or entity, or in a manner, that is unauthorized by [Tony's].
***
Extortion threat means a threat from a third-party to commit an intentional attack against [Tony's] website or computer systems or publicly disclose confidential corporate information or personally identifiable information misappropriated from [Tony's] if money, securities, or other property of value is not paid.
Security failure means any failure by [Tony's] or by others on [Tony's] behalf (including [Tony's] subcontractors, outsourcers, or independent contractors) in securing [Tony's] computer system."
¶ 8 The policy excludes certain claims from coverage. Relevant here, an exclusion provision states that:
"This policy does not apply to and [Lloyd's] will have no obligation to pay any loss, damages, claim expenses, or other amounts:
1. based upon or arising out of any actual or alleged:
a. collection of information by [Tony's] (or others on [Tony's] behalf) without the knowledge or permission of the persons to whom such information relates; however, this exclusion will not apply if no board member, trustee, director, or officers (or equivalent position) of [Tony's] knew or had reason to know of such conduct; or
b. use of personally identifiable information by [Tony's] (or others on [Tony's] behalf) in violation of law."
¶ 9 C. This Declaratory Action
¶ 10 Lloyd's denied coverage on June 6, 2019, based on Tony's failure to notify Lloyd's of the underlying Act lawsuit during the 2018 policy period. According to Lloyd's, the policy required such notice to trigger coverage. On September 22, 2022, Tony's filed this declaratory judgment action against Lloyd's, alleging that Lloyd's had a duty to defend Tony's in the underlying Act lawsuit. The parties filed cross-motions for summary judgment. Tony's motion argued that Lloyd's was not permitted to flatly deny coverage; rather, Lloyd's had to either (1) defend the underlying Act lawsuit pursuant to a reservation of rights or (2) seek its own declaratory judgment that it had no duty to defend. Lloyd's motion contended that Tony's failed to provide notice of the underlying Act lawsuit to Lloyd's during the 2018 policy period. Lloyd's also argued that the allegations of the underlying Act lawsuit did not even potentially fall within the coverage provisions of the insurance policy.
Tony's initially named "Hiscox Inc." as the insurance provider defendant in this declaratory judgment action. Lloyd's brought this error to the circuit court's attention and the court amended the caption to replace "Hiscox Inc." with Lloyd's.
¶ 11 The circuit court granted summary judgment in Tony's favor. The court found that Lloyd's had a duty to defend Tony's because the allegations of the underlying Act lawsuit potentially fell within the policy's coverage. The record is void of any reason for this conclusion. The court also found that Lloyd's was estopped from asserting policy defenses because Lloyd's failed to defend Tony's in the underlying Act lawsuit pursuant to a reservation of rights and failed to file its own declaratory action. Lloyd's filed a motion to reconsider, which the circuit court denied.
¶ 12 Lloyd's timely appealed.
¶ 14 Lloyd's argues that the circuit court erred in granting summary judgment for Tony's because (1) the allegations of the underlying Act lawsuit do not even potentially fall within the insurance policies' coverage and (2) Tony's did not report the underlying Act lawsuit to Lloyd's during the 2018 policy period.
¶ 15 Summary judgment should be granted when the pleadings, admissions, depositions, and affidavits on file, viewed in the light most favorable to the nonmovant, establish that there is no genuine issue of material fact, and that the movant is entitled to judgment as a matter of law. 735 ILCS 5/2-1005(c) (West 2018); Thounsavath v. State Farm Mutual Automobile Insurance Co., 2018 IL 122558, ¶ 15. We review the circuit court's grant of summary judgment de novo (Thounsavath, 2018 IL 122558, ¶ 16), meaning that we perform the same analysis as the circuit court (Galarza v. Direct Auto Insurance Co., 2022 IL App (1st) 211595, ¶ 33). We also review this matter de novo because it involves the interpretation of insurance policies, a task that concerns questions of law. See West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, ¶ 30.
¶ 16 When interpreting an insurance policy, a court's primary objective is to ascertain and give effect to the intentions of the parties as expressed by the language of the policy. Valley Forge Insurance Co. v. Swiderski Electronics, Inc., 223 Ill.2d 352, 362 (2006). If the policy language is unambiguous, we enforce it as written unless doing so would violate public policy. Schultz v. Illinois Farmers Insurance Co., 237 Ill.2d 391, 400 (2010). But if the policy language is susceptible to more than one meaning, then it is ambiguous, and we must construe it strictly against the insurer. Pekin Insurance Co. v. Wilson, 237 Ill.2d 446, 456 (2010). Additionally, we construe provisions that limit or exclude coverage liberally in favor of the insured and against the insurer. Id. We also construe the policy as a whole and account for the type of insurance purchased, the nature of the risks involved, and the overall purpose of the policy. Id.
¶ 17 As an initial matter, Tony's argues that Lloyd's refusal to defend the underlying Act lawsuit was a breach of the duty to defend; therefore, Lloyd's is estopped from raising any coverage defenses. When an insured party tenders defense of a claim to its insurer and the insurer believes that the claim is not covered by the insurance policy, the insurer cannot "simply refuse to defend the insured." Employers Insurance of Wausau v. Ehlco Liquidating Trust, 186 Ill.2d 127, 150 (1999). Rather, the insurer must either (1) defend the underlying lawsuit under a reservation of rights or (2) seek a declaratory judgment that no coverage exists under the terms of the policy. Id. If the insurer does not take either of these actions and is later found to have wrongfully denied coverage, it has breached its duty to defend. Id. at 150-51. As a result, the insurer is estopped from later asserting any policy defenses to coverage, even if those defenses may have been successful in the absence of the breach. Id. at 151-52. However, estoppel applies only when an insurer breached its duty to defend, so a court must first determine whether the insurer has a duty to defend and whether it breached that duty. Id. at 151.
¶ 18 We evaluate an insurer's duty to defend by comparing the allegations of the underlying complaint to the language of the insurance policy. Uhlich Children's Advantage Network v. National Union Fire Co. of Pittsburgh, 398 Ill.App.3d 710, 716 (2010). If the allegations of the underlying complaint potentially fall within the policy's coverage, the insurer is obligated to defend the insured even if the allegations of the underlying lawsuit are groundless or false. Id.
¶ 19 Tony's has the burden of demonstrating that the facts alleged in the underlying Act complaint potentially fall within coverage of the policies at issue. See Addison Insurance Co. v. Fay, 232 Ill.2d 446, 453 (2009).
¶ 20 The underlying Act complaint alleges that Tony's required Figueroa and other employees to scan their fingerprints into a database maintained by Kronos and to use Kronos's fingerprint recognition software to clock in and out of work. The complaint alleges that Tony's violated the Act by failing to (1) inform employees of the purpose and length of time for which their biometric data was being collected, stored, used, and disseminated, (2) publish a retention schedule for the permanent deletion of employees' biometric data, and (3) obtain releases from employees authorizing the collection, storage, usage, and dissemination of their biometric data. The complaint alleges that Tony's "improperly disclose[d] [its] employees' biometric data to at least one third-party, Kronos, and likely others," who are "currently unknown." The complaint alleges that Tony's violated subsections (a), (b), and (d) of section 15 of the Act (740 ILCS 14/15(a), (b), (d) (West 2018)) for, respectively, failing to publish a schedule for the deletion of biometric data, failing to obtain employees' written consent to collect their biometric data, and disclosing biometric data without employees' consent.
¶ 21 The insurance policy at issue provides coverage for losses incurred by Tony's resulting from "a data breach, security failure, or extortion threat." "[D]ata breach" means "the acquisition, access, or disclosure of personally identifiable information or confidential corporate information by a person or entity, or in a manner, that is unauthorized by [Tony's]." "[S]ecurity failure" means "any failure by [Tony's] or by others on [Tony's] behalf (including [Tony's] subcontractors, outsourcers, or independent contractors) in securing [Tony's] computer system." "[E]xtortion threat" means "a threat from a third-party to commit an intentional attack against [Tony's] website or computer systems or publicly disclose confidential corporate information or personally identifiable information misappropriated from [Tony's] if money, securities, or other property of value is not paid."
¶ 22 We find that the allegations of the underlying Act lawsuit do not even potentially fall within the policy's coverage. The policy provides coverage for Tony's losses resulting from a data breach or security failure. The definitions of data breach and security failure do not include Tony's alleged violations of the Act via its own collection, use, storage, or dissemination of employees' biometric data. A data breach requires access to employee data that is unauthorized by Tony's. The underlying Act lawsuit does not allege that anyone obtained Tony's employees' biometric data without Tony's authorization. On the contrary, the underlying lawsuit alleges that Tony's (and Kronos, with Tony's authorization) collected, stored, used, and disseminated employees' biometric data. There is no allegation that Tony did not authorize these actions.
Tony's does not appear to contend that the allegations of the underlying Act lawsuit fall under the definition of "extortion threat."
¶ 23 Furthermore, the underlying Act lawsuit does not allege that Tony's or Kronos failed to secure their computer systems. In fact, the amended complaint says nothing at all about the security of Tony's or Kronos' computer systems.
¶ 24 Remprex, LLC v. Certain Underwriters at Lloyd's London, 2023 IL App (1st) 211097, guides our reasoning. That case involved a dispute over whether Remprex had insurance coverage for an Act class action alleging that Remprex and another transportation company collected truck drivers' fingerprint biometric data and shared it with each other without the drivers' permission. Id. ¶¶ 3, 9. This court found that Lloyd's had no duty to defend Remprex in the underlying Act lawsuit. Id. ¶ 78. The court explained the "data breach" coverage provision of the insurance policy at issue applied to "third-party breaches of [Remprex's] computer systems that in turn expose[d] the stored personal information to unauthorized persons." Id. ¶¶ 76, 78. However, the underlying Act complaint "contained no allegations that an unauthorized third party accessed individuals' personal information and shared it with the public; instead, it merely alleged that the named parties engaged in the unauthorized collection of their personal information without their consent, which in turn is a violation of [the Act]." Id. ¶ 78. That scenario is essentially the same as this case. So, like the court in Remprex, we find that Lloyd's has no duty to defend Tony's in the underlying Act class action. See id.
¶ 25 Additionally, Lloyd's has no duty to defend Tony's because the policy specifically excludes from coverage allegations like those of the underlying Act lawsuit. The pertinent exclusion provides:
"This policy does not apply to and [Lloyd's] will have no obligation to pay any loss, damages, claim expenses, or other amounts:
1. based upon or arising out of any actual or alleged:
a. collection of information by [Tony's] (or others on [Tony's] behalf) without the knowledge or permission of the persons to whom such information relates; however, this exclusion will not apply if no board member, trustee, director, or officers (or equivalent position) of [Tony's] knew or had reason to know of such conduct; or
b. use of personally identifiable information by [Tony's] (or others on [Tony's] behalf) in violation of law."
This language precisely describes the allegations of the underlying Act lawsuit and excludes them from coverage.
¶ 26 We acknowledge that neither the parties nor the circuit court addressed this exclusion. Generally, a reviewing court should not search the record for unargued and unbriefed reasons to reverse the circuit court's judgment. People v. Givens, 237 Ill.2d 311, 323 (2010). However, that rule is relaxed when a reviewing court considers exclusionary language in an insurance policy because we review the interpretation of an insurance policy de novo and must consider the policy as a whole. Landmark American Insurance Co. v. NIP Group, Inc., 2011 IL App (1st) 101155, ¶¶ 76-77. Moreover, we do "not lack authority to address unbriefed issues and may do so in the appropriate case, i.e., when a clear and obvious error exists in the trial court proceedings." Givens, 237 Ill.2d at 325. The parties' failure to bring an exclusion provision that clearly applies to this case to the circuit court's attention presents a scenario in which a "clear and obvious error" compels our independent consideration.
¶ 27 Tony's argues that the allegations of the underlying Act lawsuit potentially fall within the definition of "security failure" or "data breach" because, although Tony's authorized Kronos to access and store employees' biometric data, Tony's did not authorize Kronos to access or store that data in a non-Act-compliant manner. Tony's implies that Kronos committed a "security failure" that resulted in the disclosure of Tony's employees' biometric data to unknown third parties, i.e., a "data breach." We disagree. The underlying Act complaint contains no allegations regarding the security of Tony's or Kronos's computer systems, and Figueroa does not allege that Kronos did anything with biometric data that was not authorized by Tony's.
¶ 28 Furthermore, the underlying complaint concedes that Figueroa and other "employees have no idea whether [Tony's] sells, discloses, re-discloses, or otherwise disseminates their biometric data." The complaint claims that "if a database containing fingerprints or other sensitive, proprietary biometric data is hacked, breached, or otherwise exposed-like in the recent Google+, Equifax, Uber, Facebook/Cambridge Analytica and Marriot data breaches or misuses-employees have no means by which to prevent" misuse of their biometric data. (Emphasis added.) The complaint also references a 2015 data breach at the United States Office of Personnel Management and a 2018 breach of an Indian biometric database called Aadhaar. These incidents may be examples of the type of data breaches that would qualify for coverage under the policy at issue, but none of them involves Tony's. Similarly, the complaint claims that Tony's Act violations "have raised a material risk that [Figueroa's] and other similarly-situated individuals' biometric data will be unlawfully accessed by third parties." (Emphasis added.) That statement presents a hypothetical scenario; it is not an allegation that such a breach has occurred.
¶ 29 Altogether, the underlying Act lawsuit describes Tony's and Kronos collecting, storing, using, and possibly disseminating Tony's employees' biometric data in ways that violate the Act. The insurance policy expressly excludes such allegations from coverage. The underlying Act lawsuit does not allege any sort of third-party access to Tony's employees' data that Tony's did not authorize, either due to computer security failures or for any other reason. That type of scenario is what the insurance policy covers. Accordingly, we find that the allegations of the underlying Act lawsuit do not even potentially qualify for coverage; therefore, Lloyd's has no duty to defend Tony's.
¶ 30 Because we find that Lloyd's has no duty to defend Tony's in the underlying Act lawsuit, we need not address the parties' arguments regarding whether Tony's timely reported the Act lawsuit to Lloyd's. The allegations of the underlying Act lawsuit do not qualify for coverage regardless of whether Tony's timely reported that lawsuit to Lloyd's. Accordingly, we reverse the circuit court's grant of summary judgment in Tony's favor and remand with directions for the circuit court to enter summary judgment in favor of Lloyd's on the issue of the duty to defend. See Pekin Insurance Co. v. United Contractors Midwest, Inc., 2013 IL App (3d) 120803, ¶ 35.
¶ 31 III. CONCLUSION
¶ 32 For the foregoing reasons, we reverse the circuit court's grant of summary judgment in Tony's favor and remand with directions for the circuit court to enter summary judgment in Lloyd's favor on the issue of the duty to defend.
¶ 33 Reversed; cause remanded with directions.
¶ 34 JUSTICE REYES, dissenting:
¶ 35 I disagree with the majority's decision to reverse the grant of summary judgment in favor of Tony's and to direct the circuit court to enter summary judgment in favor of Lloyd's.
¶ 36 The duty to defend is a fundamental obligation of an insurer. Employers Insurance of Wausau v. Ehlco Liquidating Trust, 186 Ill.2d 127, 151 (1999). "An insurer may not justifiably refuse to defend an action against its insured unless it is clear from the face of the underlying complaint that the allegations set forth in that complaint fail to state facts that bring the case within or potentially within the insured's policy coverage." General Agents Insurance Co. of America, Inc. v. Midwest Sporting Goods Co., 215 Ill.2d 146, 154 (2005). The allegations of the complaint should be liberally construed in favor of the insured, and the duty to defend exists even if the allegations are groundless, fraudulent, or false. Acuity v. M/I Homes of Chicago, LLC, 2023 IL 129087, ¶¶ 28-29.
¶ 37 In this case, I am unpersuaded by the majority's finding that the allegations of the underlying Biometric Information Privacy Act (740 ILCS 14/1 et seq. (West 2018)) complaint do not even potentially fall within the policy coverage. Tony's contracted with Kronos to manage the employees' biometric information. A plausible inference is that Tony's expected Kronos to manage the biometric information in a manner compliant with applicable law. To the extent that the operative complaint alleges unlawful disclosures of such information, those allegations potentially fall within the definition of a "data breach" or a "security failure," as defined in the policy. Furthermore, I consider the majority's analysis of a policy exclusion that was not raised by the parties to be unnecessary and possibly improper, irrespective of our de novo standard of review. See Commonwealth Edison Co. v. Illinois Commerce Comm'n, 2016 IL 118129, ¶ 10 (noting that reviewing courts generally do not render advisory opinions).
¶ 38 When the underlying complaint against the insured alleges facts within or potentially within the scope of the policy coverage, the insurer taking the position that the complaint is not covered by the policy must either defend its insured under a reservation of rights or seek a declaratory judgment that no coverage exists. State Farm Fire &Casualty Co. v. Martin, 186 Ill.2d 367, 371 (1999). Based on its failure to take either of these steps, I agree with the circuit court's conclusion that Lloyd's is estopped from asserting a late-notice defense (or any other defense). Therefore, I respectfully dissent.