7th Circuit: Insurer Must Defend Firm Sued for Selling Facial Recognition Program to Police

An ambiguous coverage exclusion prevents a liability insurer from dodging the cost of defending a data broker that was sued after selling the Chicago Police Department access to a facial recognition database that reportedly contained 3 billion images extracted from social media sites.

The 7th Circuit Court of Appeals on Thursday affirmed a lower court decision finding that a “catch-all” provision in the policy that excluded coverage for any violations of statutes was too broad to bar coverage for alleged violations of the Illinois Biometric Privacy Act.

“We agree with the district court that the facial breadth of the catch-all provision gives rise to an ambiguity in the policy, in that the catch-all provision appears to nullify coverage that the policy elsewhere purports to provide,” the three-judge appellate panel said in its opinion.

Wynndalco Enterprises, a Mokena, Illinois company that sells data and information technology services, sought coverage under a liability policy it bought from Citizens Insurance Co. of America after it was named as a defendant in two class-action lawsuits that alleged biometric privacy violations. The company had sold access to a facial recognition database owned by Clearview AI to another data broker, which immediately sold it to the Chicago Police Department.

A lawsuit backed by the American Civil Liberties Union alleges that Clearview built the database by “scraping” 3 billion images from social media websites. It sells access to the images coupled with software that uses proprietary algorithms to match images loaded into its program to the photos in its database, along with personal information gleaned from social media posts.

The plaintiffs are seeking the $1,000 for each negligent violation of the Biometric Information Privacy Act plus $5,000 for each “willful or reckless” violation. One lawsuit states total damages will exceed $5 million.

Wynndalco sought coverage from Citizens under a business owners policy with limits of $2 million per occurrence and $4 million aggregate. Citizens filed a lawsuit in the federal Northern District of Illinois, seeking a declaration that the policy excluded coverage for the alleged violations.

US District Court Judge John Z. Lee ruled that the insurer owed coverage because the exclusion was so broad it could be construed to bar most if not all claims that are statutory in nature, even claims that the policy purports to cover.

Citizens appealed.

The 7th Circuit panel said that an insurance policy must be read in whole for proper interpretation. A policy exclusion that appears clear in isolation may not be so easy to understand if a separate policy provision grants coverage for the same type of action or injury that is ostensibly excluded.

The panel said it’s “plain-text reading” of the policy finds the same ambiguity that the Judge Lee pointed out. The policy provides liability coverage for “personal and advertising” injuries but excludes them at the same time with a catch-all exclusion for statutory violations, making much of the promised coverage “illusory.”

“A plain-text reading of that provision would swallow a substantial portion of the coverage that the policy otherwise explicitly purports to provide in defining a covered ‘personal or advertising injury,’ and arguably all of the coverage for certain categories of wrongs—copyright infringement, to take one example— that are entirely statutory in nature,” the opinion says.

The Associated Press reported that the Chicago Police Department cancelled a two-year contract to use Clearview’s database in May 2020, after the lawsuits alleging privacy violations were filed. A spokeswoman for the department said it received a rebate for the time that was left on the contract.