Thermoflex Waukegan, LLC v. Mitsui Sumitomo Insurance USA, Inc., No. 23-1521 (7th Cir. 2024)
Annotate this Case
Justia Opinion Summary
Want to stay in the know about new opinions from the Seventh Circuit US Court of Appeals?
Sign up for free summaries delivered directly to your inbox. Learn More ›
You already receive new opinion summaries from Seventh Circuit US Court of Appeals. Did you know we offer summary newsletters for even more practice areas and jurisdictions? Explore them here.
Thermoflex Waukegan, a company that required its hourly workers to use handprints to clock in and out, was sued for allegedly violating the Biometric Information Privacy Act (BIPA) by not obtaining workers' written consent and using a third party to process the data. Thermoflex had multiple insurance policies, including three from Mitsui Sumitomo Insurance, which declined to defend or indemnify Thermoflex, leading to this suit.
The district court ruled that an exclusion in the Basic policy made it inapplicable to any claim based on BIPA. The exclusion stated that the insurance did not apply to claims arising out of any access to or disclosure of any person’s or organization’s confidential or personal information. The court found this exclusion straightforward, as BIPA identifies biometric information as confidential.
The Excess and Umbrella policy had two parts. Coverage E contained the same exclusions as the Basic policy, and the court agreed with the district court's ruling that it did not apply to claims under BIPA. Coverage U lacked an exclusion relating to nonpublic information. The district court found that none of the three arguably applicable exclusions to Coverage U clearly foreclosed a duty to provide Thermoflex with a defense in the state-court suit.
The United States Court of Appeals for the Seventh Circuit affirmed the district court's decision. It agreed with the district court's interpretation of the Basic policy and Coverage E of the Excess and Umbrella policy. It also agreed that the three exclusions to Coverage U did not apply to BIPA. Therefore, it held that Mitsui owed Thermoflex a defense under the Umbrella policy, provided that the limits of another policy that applies to the BIPA claims, plus deductibles, have been exhausted.
Download PDF
In the United States Court of Appeals For the Seventh Circuit ____________________ Nos. 23-1521 & 23-1578 THERMOFLEX WAUKEGAN, LLC, Plaintiff-Appellant, Cross-Appellee, v. MITSUI SUMITOMO INSURANCE USA, INC., Defendant-Appellee, Cross-Appellant. ____________________ Appeals from the United States District Court for the Northern District of Illinois, Eastern Division. No. 21 C 788 — John Z. Lee and Thomas M. Durkin, Judges. ____________________ ARGUED JANUARY 17, 2024 — DECIDED MAY 17, 2024 ____________________ Before FLAUM, EASTERBROOK, and PRYOR, Circuit Judges. EASTERBROOK, Circuit Judge. Thermo ex Waukegan required hourly workers to use handprints to clock in and out. This led to a claim that doing so without workers’ wriXen consent, and using a third party to process the data, violated the Biometric Information Privacy Act, 740 ILCS 14/1 to 14/20 (BIPA or the Act). Thermo ex had multiple insurance policies in force during the years in question, including three from Mitsui Sumitomo Insurance. We call these the Basic, Excess, 2 Nos. 23-1521 & 23-1578 and Umbrella policies. Mitsui declined to defend or indemnify Thermo ex, leading to this suit under the diversity jurisdiction. (The litigation between Thermo ex and its workers is in state court.) Before his appointment to this court, Judge Lee concluded that an exclusion in the Basic policy renders it inapplicable to any claim based on the Act. 595 F. Supp. 3d 677 (N.D. Ill. 2022). The exclusion provides that the insurance does not apply to [claims] arising out of any access to or disclosure of any person’s or organization’s con dential or personal information, including patents, trade secrets, processing methods, customer lists, nancial information, credit card information, health information or any other type of nonpublic information. Judge Lee thought its application straightforward: the Act identi es biometric information as con dential (“nonpublic”), see 740 ILCS 14/10, 14/15(e)—and, although the e ect of the exclusion depends on the meaning of the policy rather than the meaning of the Act, the ordinary understanding of “con dential or personal information” includes handprints and other biometric identi ers usable for identity theft. Illinois enforces unambiguous language in insurance policies. See, e.g., Sanders v. Illinois Union Insurance Co., 2019 IL 124565 ¶23. Thermo ex maintains that this policy is ambiguous because the exclusion mentions patents, which are public. True, the list contains mismatched items. But how does this create ambiguity about either the opening phrase (“any person’s or organization’s con dential or personal information”) or the catchall (“any other type of nonpublic information”)? Sticking one blue item into a list that begins “all red items including …” and closes “plus anything pink” does not nullify the language’s application to ruby-colored things. See, e.g., Nos. 23-1521 & 23-1578 3 CSX Transportation, Inc. v. Alabama Department of Revenue, 562 U.S. 277, 295 (2011) (explaining that the ejusdem generis canon does not limit general language just because items in a list are dissimilar). Thermo ex also relies on Citizens Insurance Co. v. Wynndalco, 70 F.4th 987 (7th Cir. 2023), which holds that, under Illinois law, an exclusion for coverage of claims based on “laws, statutes, ordinances, or regulations, that address, prohibit or limit the printing, dissemination, disposal, collecting, recording, sending, transmiXing, communicating or distribution of material or information” does not apply to a claim under BIPA. Wynndalco concluded that a broad reading of this exclusion would nullify coverages expressly provided elsewhere in the policy. It did not take long for a state appellate court to hold that Wynndalco misunderstood Illinois law and that such a clause in an insurance policy indeed blocks coverage of claims under BIPA. National Fire Insurance Co. v. Visual Pak Co., 2023 IL App (1st) 221160. We need not try to predict whether the Supreme Court of Illinois is more likely to follow Visual Pak than to follow Wynndalco. It is enough that the exclusion in this policy does not have the aw that led to the decision in Wynndalco. It leaves plenty of room for coverage of the main insured hazards. That’s all we need to say about the Basic policy. The Excess and Umbrella policy has two parts. Coverage E (for “Excess”) contains the same exclusions as the Basic policy, because it incorporates all limitations in the Basic policy. District Judge Durkin, who handled the case after Judge Lee was appointed to this court, held that Coverage E does not apply to claims under the Act. 2023 U.S. Dist. LEXIS 9282 at *10–12 (N.D. Ill. Jan. 19, 2023). Because we agree with Judge 4 Nos. 23-1521 & 23-1578 Lee’s understanding of the Basic policy, we also agree with this aspect of Judge Durkin’s understanding of Coverage E, which means that the Excess coverage drops out. Coverage U (for “Umbrella”) lacks an exclusion relating to nonpublic information. (It does not maXer what Coverage U includes; the parties agree that it covers BIPA claims unless something excludes coverage.) Judge Durkin found that none of the three arguably applicable exclusions to Coverage U is so clear that it forecloses a duty to provide Thermo ex with a defense in the state-court suit. Id. at *12–29. This federal case is about the duty to defend, not the duty to indemnify. (It would be premature to consider indemnity, as the underlying litigation has not been resolved. See Lear Corp. v. Johnson Electric Holdings Ltd., 353 F.3d 580 (7th Cir. 2003).) In Illinois genuinely ambiguous provisions are construed in favor of coverage. See, e.g., Rich v. Principal Life Insurance Co., 226 Ill. 2d 359, 371 (2007). The parties call the rst of these exclusions the “Statutory Violation Exclusion”. It blocks coverage of maXers arising directly or indirectly out of violations of or alleged violations of: (1) the Telephone Consumer Protection Act (TCPA), including any amendments thereto, and any similar federal, state, or local laws, ordinances, statutes, or regulations; (2) the CAN-SPAM Act of 2003, including any amendments thereto, and any similar federal, state, or local laws, ordinances, statutes, or regulations; (3) the Fair Credit Reporting Act (FCRA), including any amendments thereto, such as the Fair and Accurate Credit Transaction Act (FACTA), and any similar federal, state, or local laws, ordinances, statutes, or regulations; or Nos. 23-1521 & 23-1578 5 (4) any other federal, state, or local law, regulation, statute, or ordinance that restricts, prohibits, or otherwise pertains to the collecting, communicating, recording, printing, transmiXing, sending, disposal, or distribution of material or information. Thermo ex maintains that this is another exclusion of the kind we addressed in Wynndalco; Mitsui asks us to overrule Wynndalco in light of Visual Pak. But we put both Wynndalco and Visual Pak aside and instead ask, as Judge Durkin did, how West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, applies to an exclusion with this structure. The exclusion in Krishna blocked coverage of: (1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law; or (2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law; or (3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmiXing, communicating or distribution of material or information. The Supreme Court of Illinois held that the third part of this exclusion—“[a]ny statute … that prohibits or limits the sending [etc.] of material or information”—did not apply to BIPA claims. True, that Act “limits” the use of biometrics in the sense that it requires the consent of the person whose information is involved. But the Supreme Court of Illinois did not see this as similar to the two listed statutes, and, applying the ejusdem generis canon, it held that clause (3) of this exclusion deals only with statutes that are like the rst two in some way. Deeming BIPA unlike TCPA and CAN-SPAM (whose scope we need not elaborate), Krishna held the exclusion too 6 Nos. 23-1521 & 23-1578 uncertain in scope to foreclose coverage of BIPA maXers. 2021 IL 125978 ¶¶ 55–59. The Statutory Violation Exclusion to Coverage U in Thermo ex’s policy begins with the same two statutes as the policy in Krishna and adds a third, the Fair Credit Reporting Act. One need not get beyond the name of that statute to see how di erent it is from BIPA. In this diversity suit, we are bound by the way the Supreme Court of Illinois has treated language structured like the Statutory Violation Exclusion, so we agree with the district court that this exclusion from Coverage U does not apply to BIPA. The next arguably applicable exclusion bears the caption “Data Breach Liability”. It provides that the policy does not cover 1) … [loss] arising out of disclosure of or access to private or con dential information belonging to any person or organization; or 2) any loss, cost, expense, or “damages” arising out of damage to, corruption of, loss of use or function of, or inability to access, change, or manipulate “data records”. This exclusion also applies to “damages” for any expenses incurred by “you” or others arising out of 1) or 2) above, including expenses for credit monitoring, noti cation, forensic investigation, and legal research. Like the district court, we think that the body of this exclusion must be understood to match its caption—that is, to situations in which hackers obtain access to personal information. Although BIPA surely involves “disclosure of” information, its principal concern is disclosure to Thermo ex (and its contractors), not to hackers who get data from Thermo ex. The reference to credit monitoring expenses and forensic investigation drive home the point that the “data breach” caption Nos. 23-1521 & 23-1578 7 accurately describes the scope of this exclusion. The meaning of all language depends on context rather than isolated phrases, and the language of this exclusion as a whole shows that it does not apply to all violations of BIPA. We grant that, if Thermo ex and contractors do not have workers’ biometric information, it is less likely to be available to hackers. Inadequate control of biometric information that leaks out could violate BIPA, which requires entities that collect biometric information to keep it con dential. The databreach exclusion would apply to situations in which hackers obtained biometric information from Thermo ex. That’s not what the underlying state suit is about, however. This brings us to the third exclusion, which the parties call the “ERP exclusion” (for “employment-related practices”). This bars coverage of injury arising out of: a) refusal to employ that person; b) termination of employment of that person; or c) coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, malicious prosecution, discrimination, sexual misconduct, or other employment-related practices, policies, acts, or omissions directed towards that person[.] Parts (a) and (b) of this exclusion don’t have anything to do with BIPA claims. Mitsui relies on part (c), observing that collecting and processing handprints to determine how much time an employee spends at work is an “employment-related practice[]”. Granted. But is that practice “directed towards” any given worker? Like the district court, we understand “directed towards that person” as identifying acts that are employee-speci c—much as parts (a) and (b) are employee (or applicant) speci c. A general policy requiring all hourly workers to place their hands on a scanner is an employment- 8 Nos. 23-1521 & 23-1578 related practice but is not “directed towards” any given employee. It is just a term or condition of employment, and this exclusion taken as a whole is not concerned with the terms and conditions of employment. As far as we can see, the Illinois judiciary has yet to address how language such as the Data-Breach Liability exclusion and the ERP exclusion applies to claims under BIPA. In the absence of an authoritative decision, our understanding of all three exclusions has been informed by Krishna. The Umbrella policy provides for defense and indemnity only after underlying insurance (and deductibles, which the policies call self-insured retentions) has been exhausted. This opinion does not address indemnity. Because Thermo ex has at least one other policy that applies to the BIPA claims, see Citizens Insurance Co. v. Thermo ex Waukegan, LLC, 588 F. Supp. 3d 845 (N.D. Ill. 2022), the duty to defend does not begin until the limits of that policy (plus deductibles) have been exhausted. With that proviso—which is part of the district court’s decision and judgment, see 2023 U.S. Dist. LEXIS 9282 *31–32—we hold that Mitsui owes Thermo ex a defense under the Umbrella policy. AFFIRMED
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
