Insurance Carrier Caught Red-Handed in Fingerprints Retention Case

In the matter of Remprex, LLC v. Certain Underwriters at Lloyd’s London1, policyholder Remprex was thrust into two separate class actions, both involving alleged violations of the Biometric Information Privacy Act (“BIPA”). Remprex could not receive coverage under their media liability policy due to an exclusion of coverage for losses arising from the unlawful collection or retention of personally identifiable information or other personal information by or on behalf of the insured organization. However, they nonetheless prevailed in extracting coverage from their carrier thanks to an exception to that exclusion to cover expenses incurred in defending the insured against allegations to the unlawful collection of personally identifiable information.

A Tale of Two Class-Action Lawsuits

Remprex was implicated in class action lawsuit #1 in a suit initiated by truck driver Richard Rogers (“Rogers”) against BNSF Railway Company (“BNSF”), alleging that BNSF violated his privacy rights by collecting, capturing, storing, transferring, using, or otherwise obtaining his biometric information in a negligent or reckless manner (“BNSF lawsuit”). Remprex was never a named defendant in the BNSF lawsuit; however, BNSF’s answer and affirmative defenses alleged that it contracted with Remprex to provide “a number of services at BNSF facilities,” including automated gate systems. Additionally, BNSF indicated in an affirmative defense that any alleged use of fingerprints would have been provided to and at the request of Remprex. Remprex’s involvement in the suit involved attending an unsuccessful mediation session between the named parties to the BNSF lawsuit and receiving a broad subpoena for records. Remprex exited the mediation with an expectation that it would contribute to any proposed settlement; and they responded to the subpoena by producing thousands of documents for the parties. Additionally, two of Remprex’s principals received deposition notices from Rogers’ counsel and were deposed. Remprex did not engage in any further actions beyond those mentioned here.

A few months after the filing of the BNSF lawsuit, Rogers filed class action lawsuit #2 (“CN lawsuit”); this time directly naming Remprex as a defendant, along with Illinois Central Railroad Company (“ICRC) and CN Transportation, Ltd. (“CN”). Together with the similar allegations raised in the BNSF lawsuit, Rogers implicated Remprex by name through its allegations that the company “engineered, designed, installed, operated, and managed biometric technology software and hardware.” More importantly, as it pertains to ultimate policy coverage, the suit also alleged that CN used Remprex’s technology at its railyards and the two companies acted jointly in violating his privacy rights by collecting, capturing, storing, transferring, using, or otherwise obtaining his biometric information in a negligent or reckless manner. Further, Rogers alleged that Remprex used and shared his and other truck drivers’ fingerprint scans in an unauthorized manner as part of a biometric-based automated gate system at Illinois railyards for companies like CN and improperly disseminated that information.

Remprex’s Plea for Coverage

Remprex maintained a “Beazley Breach Response” (“BBR”) policy, underwritten by Lloyd’s. The policy provided coverage for data and network liability and media liability. The policy also contained a choice of law provision, which applied New York law to disputes about its terms.

Remprex tendered the Suits to Lloyd’s for coverage under its BBR policy. Lloyd’s responded by denying coverage taking the position that neither the CN lawsuit nor the BNSF lawsuit triggered coverage. Lloyd’s took the position that neither the data and network liability nor the media liability provisions covered the circumstances present in the two underlying lawsuits. With respect to the CN lawsuit (the lawsuit with a stronger argument for coverage), Lloyd’s noted that the policy’s definition of media liability covered liability for creating, displaying, broadcasting, disseminating, or releasing media material to the public, and the CN complaint did not allege that Remprex did any of those things. Lloyd’s concluded that it had no duty to defend the CN complaint under the relevant media liability coverage of the policy because there was no allegation in the CN complaint that Remprex disseminated any information to the public. With respect to the network liability coverage, Lloyd’s claimed that the CN complaint was not a claim against Remprex for the theft or loss of information that in Remprex’s care, custody, or control or the disclosure of such information without Remprex’s authorization. Rather, the CN complaint alleged that Remprex collected information from Rogers without his consent; thus, it was not covered or potentially covered as a “data breach,” as the term is defined in the policy.

Regarding the BNSF suit (arguably the weaker lawsuit for extracting coverage), Lloyd’s denied coverage because Remprex was not a party to the suit and the complaint and subpoena requests that Remprex nonetheless answered to did not trigger coverage either because they were not filed against Remprex and demanded no money or services from Remprex.

Remprex subsequently filed a first amended complaint in response to Lloyd’s denials with six counts:

  • Count I sought a declaration that Lloyd has had a duty to defend and indemnity it in the CN and BNSF lawsuits,
  • Count II alleged breach of contract,
  • Count III alleged bad faith,
  • Count IV alleged vexatious and unreasonable conduct,
  • Count V alleged a violation of the Consumer Fraud Act, and
  • Count VI alleged common law fraud.

Remprex’s allegations were based on the underlying CN and BNSF complaints, the BNSF answer and subpoena, and Lloyd’s written denials of its claims for coverage.

The Circuit Court’s Ruling

After oral argument, the Circuit Court of Cook County in Illinois found that there was no coverage for the CN lawsuit under the policy because there was no dissemination of any data to the public, just transmission between parties affiliated with one another. With respect to the BNSF lawsuit, the court stated that because Remprex was not named, it could not determine whether there was coverage. The circuit court dismissed the remaining counts of the first amended complaint. Remprex appealed to the Appellate Court of Illinois.

The Appellate Court’s Ruling

The appellate court found the allegations in the BNSF complaint arguably formed the basis for a duty to defend. The fatal fact that denied a basis for coverage, however, was Remprex not being named as a defendant in the BNSF complaint. With respect to the third-party subpoena received by Remprex from plaintiff Rogers’s counsel in August 2020, the record revealed that Remprex did not timely submit a claim to Lloyd’s regarding the subpoena. Because the subpoena was received outside of the notice provision under policy (“no later than 90 days after the end of the policy period,”) no coverage was available. This demonstrates the importance of following a policy’s notice provision to properly extract coverage.

The CN complaint, in contrast, incorporated Remprex as a named defendant, meaning that the policy definition of a claim was properly satisfied, leaving only a question of whether the claim was caused by a covered event under the insuring agreement. Because there was no dispute that any collection and transfer of an individual’s fingerprints without informing them and procuring a release would be a violation of BIPA, the primary crux of the issue was whether an alleged violation of BIPA, as outlined in the CN complaint, triggered the media liability coverage under the policy. Aside from disseminating media material to the public (which the court viewed as not present in the allegations of the CN), the policy also defined media liability as violating an individual’s right to privacy during the “course of creating media material.” The parties did not dispute whether fingerprints are considered media material.

The policy contained language excluding losses arising from the unlawful collection or retention of personally identifiable information or other personal information by or on behalf of the insured organization. Importantly, however, the exclusion contained an exception, indicating that the exclusion was not applicable to claims expenses incurred in defending the insured against allegations of the unlawful collection of personally identifiable information. This exception to the exclusion proved valuable to the policyholder, as it helped the court find that there was indeed coverage under the policy for the claims expenses related to defending against the CN lawsuit. This was because the lawsuit contained allegations that it unlawfully collected the CN plaintiffs’ fingerprints, which fit perfectly into the exception to the exclusion. As a result, Remprex was entitled to coverage for its claims expenses incurred in defending against the CN lawsuit.

However, while Remprex was successful in extracting coverage under their policy’s media liability provision, they were not similarly triumphant in their plea for coverage under their data and network liability provision. Remprex unsuccessfully argued that “in some way or another,” the CN lawsuit alleged that plaintiffs lost their personally identifiable information, and that action constituted a type of “data breach,” as defined in the policy which would make the claim covered under the policy. The court found, contrary to Remprex’s argument, that the CN complaint did not allege that such biometric data was stolen or shared with the public; rather, the complaint alleged that the named defendants played a part in collecting and sharing such data with one another without permission, in violation of BIPA. This outcome reminds us that, regarding facts alleged in a complaint, what is good for the goose (triggering coverage under media liability) is not always good for the gander (triggering coverage under data and network liability).
The incorporation of a media liability provision in Remprex’s BBR policy proved to be the policyholder’s sole saving grace for coverage. Even though the policy contained a typical exclusion of coverage for losses arising from the unlawful collection or retention of personally identifiable information or other personal information by or on behalf of the insured organization (an action that Remprex allegedly engaged in through their retention of fingerprint data), the policyholder nonetheless prevailed due to an exception to that exclusion to cover expenses incurred in defending the insured against allegations to the unlawful collection of personally identifiable information was effective in making the insured whole. The inclusion of this exception was vital for successful coverage extraction.

Policyholders should always be wary of the long lists of exclusions in their media liability policies, but they also should take a reassuring and careful note of the exceptions to the exclusions as well, proving to be an ultimate tool for coverage, even in the face of seemingly exhaustive exclusions in any given policy, as was the case here.

For more information, contact Stephanie A. Giagnorio at SGiagnorio@sdvlaw.com.

*Special thanks to Damian Barquin, Law Clerk, for contributing to this case alert.


12023 IL App. (1st) 211097 (III. App. Ct. Mar. 31, 2023)