Remprex, LLC v. Certain Underwriters at Lloyd's London, Syndicates 2623/623

2023 IL App (1st) 211097, 228 N.E.3d 321

• Court: Appellate Court of Illinois
• Decided: March 31, 2023
• Docket: 1-21-1097
• Status: Published

Opinion

2023 IL App (1st) 211097

SIXTH DIVISION March 31, 2023 Filing Date

Nos. 1-21-1097 & 1-22-0308 (cons.) ______________________________________________________________________________ IN THE APPELLATE COURT OF ILLINOIS FIRST JUDICIAL DISTRICT ______________________________________________________________________________

REMPREX, LLC, ) ) Appeal from the Plaintiff-Appellant, ) Circuit Court of ) Cook County. v. ) ) No. 20 CH 5507 CERTAIN UNDERWRITERS AT LLOYD’S LONDON, ) SYNDICATES 2623/623, ) The Honorable ) Anna M. Loftus, Defendant-Appellee. ) Judge, Presiding.

JUSTICE ODEN JOHNSON delivered the judgment of the court, with opinion. Presiding Justice Mikva & Justice C.A. Walker concurred in the judgment and opinion.

OPINION

¶1 This appeal stems from a declaratory judgment action filed by plaintiff, Remprex, LLC,

against defendants, Certain Underwriters at Lloyd’s London, Syndicates 2623/623 (Lloyd’s),

in which plaintiff sought a declaration that Lloyd’s had a duty to defend it with regard to

alleged violations of the Illinois Biometric Information Privacy Act (BIPA) (740 ILCS 14/1 et

seq. (West 2018)). Remprex’s complaint also alleged breach of contract, bad-faith claims Nos. 1-21-1097 & 1-22-0308 (cons.)

practices, vexatious and unreasonable conduct, violations of the Illinois Consumer Fraud and

Deceptive Business Practices Act (815 ILCS 505/1 et seq. (West 2018)), and common law

fraud. The circuit court granted Lloyd’s section 2-615 (735 ILCS 5/2-615 (West 2020)) motion

to dismiss the complaint in its entirety, and Remprex appeals from that order. On appeal,

Remprex contends that Lloyd’s had a duty to defend it in the two underlying lawsuits that

alleged BIPA violations pursuant to two provisions of the policy which provided coverage for

claims based on the dissemination of information to the public and for claims based on a loss

for which Remprex was liable. For the reasons that follow, we affirm in part, reverse in part

and remand for calculation of damages. 1

¶2 I. BACKGROUND

¶3 Briefly stated, this case concerns a dispute over whether Remprex had insurance coverage

for costs sustained by it with regard to two class action lawsuits involving alleged violations

of BIPA. The facts are taken from the parties’ pleadings filed during the course of Remprex’s

declaratory judgment action, which was initially filed on August 24, 2020.

¶4 A. BNSF Lawsuit

¶5 According to Remprex, it was implicated by BNSF Railway Company (BNSF) in a class

action suit initiated by truck driver Richard Rogers (Rogers) against BNSF (BNSF lawsuit) in

April 2019. the suit alleged that BNSF violated his privacy rights by collecting, capturing,

storing, transferring, using, or otherwise obtaining his biometric information in a negligent or

reckless manner. Remprex was never a named defendant in the BNSF suit, however, BNSF’s

answer and affirmative defenses alleged that it contracted with Remprex to provide a number

1 Oral arguments were held in this appeal on January 12, 2023.

-2- Nos. 1-21-1097 & 1-22-0308 (cons.)

of services at BNSF facilities, including automated gate systems, since July 1, 2007.

Additionally, BNSF indicated in an affirmative defense that any alleged use of fingerprints

would have been provided to and at the request of Remprex. Remprex’s letter to Lloyd’s

requesting coverage for this matter indicated that BNSF sought indemnification pursuant to

the terms of a contract between Remprex and BNSF.

¶6 In March 2020, Remprex indicated that it attended an unsuccessful mediation session

between the named parties to the BNSF lawsuit before JAMS (a provider of mediation,

arbitration, and alternate dispute resolution services) at the request of both Rogers’ counsel

and BNSF. Remprex believed that, based on communication between the parties before and

after the mediation, it would be expected to contribute to any proposed settlement.

¶7 On August 5, 2020, Remprex received a broad subpoena for records, and in response it

produced thousands of documents to the parties. Additionally, two of Remprex’s principals

received deposition notices from Rogers’ counsel and were deposed. Remprex further

contended that its continued participation was sought by the parties in the ongoing BNSF

lawsuit, and it participated in a second unsuccessful mediation on April 7, 2021. We take

judicial notice that the BNSF lawsuit went to trial and resulted in a jury award in favor of the

class and against BNSF on October 12, 2022. Beyond the actions mentioned here, Remprex

was never otherwise involved in the BNSF lawsuit.

¶8 B. CN Lawsuit

¶9 On July 26, 2019, Rogers filed a second class action lawsuit for alleged violations of BIPA

against Remprex, Illinois Central Railroad Company (ICRC) and CN Transportation, Ltd., an

affiliate of the Canadian National Railway Company (CN lawsuit). The suit raised similar

allegations to those raised in the BNSF lawsuit. With respect to Remprex, Rogers alleged that

-3- Nos. 1-21-1097 & 1-22-0308 (cons.)

it engineered, designed, installed, operated, and managed biometric technology software and

hardware. Additionally, Rogers alleged that CN used Remprex’s technology at its railyards

and the two companies acted jointly in violating his privacy rights by collecting, capturing,

storing, transferring, using, or otherwise obtaining his biometric information in a negligent or

reckless manner. Further, Rogers alleged that Remprex used and shared his and other truck

drivers’ fingerprint scans in an unauthorized manner as part of a biometric-based automated

gate system at Illinois railyards for companies like CN, and improperly disseminated that

information.

¶ 10 Remprex moved to dismiss Rogers’ complaint on August 30, 2019, and on November 14,

2019, Rogers voluntarily dismissed Remprex from the case.

¶ 11 C. Remprex’s Claims and Circuit Court Proceedings

¶ 12 Remprex maintained a “Beazley Breach Response” (BBR) policy, underwritten by Lloyd’s

that covered a policy period of July 30, 2018, to July 30, 2019. Among other things, the policy

provided coverage for data & network liability and media liability. The policy also contained

a choice of law provision which provided that New York law governed disputes about its terms.

¶ 13 In June 2019, Remprex notified Lloyd’s of its claims under its policy, namely under the

Data & Network Liability and Media Liability provisions, which Remprex contended were

applicable to the BNSF and CN lawsuits. In its correspondence to Lloyd’s, Remprex explained

that both suits concerned the unlawful creation, collection, dissemination, and unauthorized

disclosure of private personal information in the form of fingerprint data, by or on behalf of

Remprex, which triggered the coverage and Lloyd’s corresponding responsibility to cover all

reasonable and necessary legal costs and expenses resulting from the investigation and defense

of those suits.

-4- Nos. 1-21-1097 & 1-22-0308 (cons.)

¶ 14 Lloyd’s responded in writing on November 19, 2019, denying coverage because it

determined that neither the CN lawsuit nor the BNSF lawsuit implicated the policy’s coverage.

Specifically, Lloyd’s stated that neither the Data & Network Liability nor the Media Liability

provisions covered the circumstances in the two underlying lawsuits. Both parties engaged in

correspondence back and forth for a few months, with Lloyd’s final correspondence about the

matter occurring in April 2020.

¶ 15 Remprex filed suit against Lloyd’s on August 24, 2020. Lloyd’s responded by filing its

appearance on November 20, 2020, and a section 2-615 (735 ILCS 5/2-615 (West 2020))

motion to dismiss on December 21, 2020. Remprex subsequently filed its six-count, first

amended complaint on April 19, 2021. Count I sought a declaration that Lloyd’s had a duty to

defend and indemnity it in the CN and BNSF lawsuits; count II alleged breach of contract;

count III alleged bad faith; count IV alleged vexatious and unreasonable conduct; count V

alleged a violation of the Illinois Consumer Fraud Act (815 ILCS 505/1 et seq. (West 2020));

and count VI alleged common law fraud. Remprex based the allegations of its complaint on

the underlying CN and BNSF complaints, the BNSF answer and subpoena, and Lloyd’s written

denials of its claims for coverage.

¶ 16 Lloyd’s responded with a second section 2-615 motion to dismiss. Lloyd’s first contended

that it had no duty to defend Remprex for either the CN or BNSF complaints because a

comparison of the underlying complaint and the insurance policy showed that there was no

duty to defend under the Media Liability or Data & Network Liability coverages.

¶ 17 With respect to the CN lawsuit, Lloyd’s noted that the policy’s definition of Media Liability

covered liability for creating, displaying, broadcasting, disseminating, or releasing Media

Material to the public, and the CN complaint did not allege that Remprex did any of those

-5- Nos. 1-21-1097 & 1-22-0308 (cons.)

things. Rather, the CN complaint alleged that Remprex violated BIPA by “capturing and

obtaining” and “collecting and storing” biometric information without appropriate consents,

and there was no allegation that any information was released to the public or that Remprex

took any action directed to the public. Lloyd’s disagreed with Remprex’s wide interpretation

of “to the public,” namely that an allegation of dissemination to certain select entities would

be sufficient to satisfy the policy language requiring dissemination to the public. Lloyd’s

concluded that because there was no allegation in the CN complaint that Remprex disseminated

any information to the public, it had no duty to defend the CN complaint under the Media

Liability coverage of the policy.

¶ 18 Lloyd’s further contended that it had no duty to defend the CN lawsuit under the Data &

Network Liability coverage of the policy because there was no allegation of a data breach or

security breach in the CN complaint. Lloyd’s noted that the CN complaint was not a claim

against Remprex for the theft or loss of information that in Remprex’s care, custody or control,

or the disclosure of such information without Remprex’s authorization. Rather, the CN

complaint alleged that Remprex collected information from Rogers without his consent; thus,

it was not covered or potentially covered as a data breach. Nor did the CN complaint allege

behaviors that would constitute a security breach as it was not a claim for the failure of

computer security to prevent unauthorized access or use of computer systems, nor was there

any allegation against Remprex that its computer security failed to prevent unauthorized access

or use of its computer systems. Because the CN complaint did not mention Remprex’s

computer security, Lloyd’s concluded that the CN complaint was not covered or potentially

covered as a security breach.

-6- Nos. 1-21-1097 & 1-22-0308 (cons.)

¶ 19 With respect to the BNSF suit, Lloyd’s initially noted that Remprex was not a party to the

suit and that although Remprex sought coverage for the BNSF complaint, the BNSF answer,

and for a third-party subpoena for documents received by Remprex from Rogers, those items

were not covered by the policy. First, Lloyd’s contended that the BNSF complaint, answer and

subpoena were not claims made against Remprex as Remprex was not named in the complaint

and the complaint sought no money or services from Remprex. Similarly, Lloyd’s argued that

the BNSF answer to the complaint and the subpoena were not claims against Remprex as they

were not filed against Remprex and demanded no money or services from Remprex. Lloyd’s

acknowledged that Remprex received a letter from BNSF requesting indemnity for the claims

brought by Rogers pursuant to an indemnification provision in a contract between BNSF and

Remprex; however, the first amended complaint did not make any claims in connection with

BNSF’s request for contractual indemnification, and further, such claim would not be covered

as the policy specifically excluded any loss arising from a contractual liability or obligation.

Additionally, Lloyd’s noted that Remprex did not notify it of the subpoena when Remprex

received it and never attempted to claim coverage for the subpoena, thus Lloyd’s had no duty

to defend Remprex in connection with the subpoena.

¶ 20 Lloyd’s also contended that Remprex failed to state a claim in count III (bad faith) under

215 ILCS 5/154.6 (West 2020)), because the complaint pled no facts to support its “bare

assertion” of improper claims handling, and because the statute relied upon was regulatory,

Remprex had no cause of action as a policyholder.

¶ 21 With respect to count IV (vexatious and unreasonable conduct) under 215 ILCS 5/155

(West 2020)), Lloyd’s argued that Remprex failed to state a claim because: (1) disputes under

the policy were governed by New York law so a claim could not be brought under an Illinois

-7- Nos. 1-21-1097 & 1-22-0308 (cons.)

statute; (2) a section 155 claim could not proceed when there was no duty to defend; (3)

Remprex alleged no facts showing that Lloyd’s position was not reasonable and bona fide; and

(4) the only fact alleged in support of the claim was that Lloyd’s issued its letter denying

coverage in November 2019, several months after Remprex first provided notice of its claims

in June 2019, which was insufficient to support its claim because the two entities were in

communication throughout that time period.

¶ 22 With respect to Remprex’s claim under the Consumer Fraud Act (count V) (815 ILCS

505/1 et seq. (West 2020)), Lloyd’s argued that the CN and BNSF complaints were not covered

under the policy, so coverage was appropriately denied. Additionally, the policy required that

New York law be applied, so Remprex could not bring a claim under an Illinois statute. Lloyd’s

also contended that Remprex’s claim was a restatement of its breach of contract claim which

could not support a violation of the Consumer Fraud Act, and that Remprex failed to identify

any specific misrepresentations or unfair acts or practices in its first amended complaint.

¶ 23 Finally, Lloyd’s contended that Remprex failed to state a claim in count VI (common law

fraud) because the CN and BNSF complaints were not covered by the policy, so coverage was

appropriately denied. Additionally, Lloyd’s noted that a party could not state a claim of fraud

by alleging that a counterparty did not comply with the parties’ contract, which was the basis

of Remprex’s claim, and further that Remprex failed to allege the elements of fraud.

¶ 24 Lloyd’s therefore concluded that Remprex’s first amended complaint should be dismissed

with prejudice in its entirety.

¶ 25 Remprex filed a response in which it raised essentially the same allegations contained in

its first amended complaint. The circuit court subsequently heard argument on the motion on

August 5, 2021, via a Zoom teleconference. At the hearing, the court indicated that it had

-8- Nos. 1-21-1097 & 1-22-0308 (cons.)

reviewed the materials submitted by both sides, and allowed time for oral argument. After

hearing argument, the circuit court found that there was no coverage for the CN lawsuit under

the policy because there was no dissemination of any data to the public, just transmission

between parties affiliated with one another. With respect to the BNSF lawsuit, the court noted

that because Remprex was not named, it could not determine whether there was coverage. The

circuit court dismissed the remaining counts of the first amended complaint.

¶ 26 The circuit court subsequently entered its written order on August 12, 2021, granting

Lloyd’s motion to dismiss. The order indicated that “[f]or the reasons stated on the record,”

counts 1 and 2 for declaratory judgment and breach of contract were dismissed with prejudice

to the extent that they asserted causes of action arising from Lloyd’s refusal to defend Remprex

in the CN lawsuit or to indemnify it for expenses or liability incurred in defense of the CN

lawsuit. The order additionally dismissed counts 1 and 2 without prejudice with respect to the

BNSF lawsuit so that Remprex could seek a declaratory judgment regarding coverage if it was

subsequently named in the BNSF lawsuit. 2 Counts I through VI were dismissed with prejudice,

and the order was entered as a final order which resolved all outstanding issues in the case.

¶ 27 Remprex filed its timely notice of appeal on September 2, 2021 (case number 21-1097).

However, on February 2, 2022, Rempex filed a motion to remand to the circuit court for entry

of a final order. On February 16, 2022, this court granted the motion to remand for the limited

purpose of having the circuit court clarify whether its order of August 12, 2021, was intended

as a final order disposing of the case. In response, the circuit court entered a subsequent order

on Lloyd’s motion to dismiss on February 28, 2022, which dismissed counts I and II with

2 As previously noted, the BNSF lawsuit ended in a jury verdict on October 12, 2022, and Remprex was never named as a party to that suit.

-9- Nos. 1-21-1097 & 1-22-0308 (cons.)

prejudice as related to the BNSF lawsuit because Remprex was not named as a defendant in

that lawsuit. All other relief remained the same. Remprex filed a second notice of appeal on

March 3, 2022 (case number 22-0308), which was subsequently consolidated with the earlier

appeal.

¶ 28 D. The Insurance Policy

¶ 29 As noted above, the BBR policy at issue was issued to Remprex by Lloyd’s as underwriters

for the policy period of July 30, 2018, through July 30, 2019. The policy included a BBR

Information Pack. Under the BBR Insuring Agreements Breach Responses section, the purpose

of the policy was “[t]o provide Breach Response Services to the Insured Organization

because of an actual or reasonably suspected Data Breach or Security Breach that the

Insured first discovers during the Policy Period.” (Emphasis in original).

¶ 30 Applicable to this appeal, the Data & Network Liability section of the policy provided as

follows:

“Data & Network Liability

To pay Damages and Claims Expenses, which the Insured is legally obligated to pay

because of any Claim first made against any Insured during the Policy Period for:

1. a Data Breach;

2. a Security Breach; ***

4. failure by the Insured to comply with that part of a Privacy Policy that specifically:

(a) prohibits or restricts the Insured Organization’s disclosure, sharing or selling of

Personally Identifiable Information;

- 10 - Nos. 1-21-1097 & 1-22-0308 (cons.)

(b) requires the Insured Organization to provide an individual access to Personally

Identifiable Information or to correct incomplete or inaccurate Personally

Identifiable Information after a request is made; or

(c) mandates procedures and requirements to prevent the loss of Personally Identifiable

Information;

provided the Insured Organization has in force, at the time of such failure, a Privacy

Policy that addresses those subsections above that are relevant to such Claim.” (Emphasis

in the original).

¶ 31 The Media Liability section of the policy provided as follows:

“Media Liability

To pay Damages and Claims Expenses, which the Insured is legally obligated to pay

because of any Claim first made against any Insured during the Policy Period for Media

Liability.” (Emphasis in the original).

¶ 32 The definitions section of the policy also contains several relevant definitions as follows:

“Breach Notice Law means any statute or regulation that requires notice to persons whose

personal information was accessed or reasonably may have been accessed by an unauthorized

person. Breach Notice Law also includes any statute or regulation requiring notice of a Data

Breach to be provided to governmental or regulatory authorities.

Breach Response Services means the following fees and costs in response to an actual or

reasonably suspected Data Breach or Security Breach: ***”

“Claim means:

1. a written demand received by any Insured for money or services;

- 11 - Nos. 1-21-1097 & 1-22-0308 (cons.)

***

3. with respect to coverage provided under part 1. of the Data & Network Liability insuring

agreement only, a demand received by any Insured to fulfill the Insured Organization’s

contractual obligation to provide notice of a Data Breach pursuant to a Breach Notice

Law.

Multiple Claims arising from the same or a series of related, repeated or continuing acts, errors,

omissions or events will be considered a single Claim for the purposes of this Policy.

Claims Expenses means:

1. all reasonable and necessary legal costs and expenses resulting from the investigation,

defense and appeal of a Claim, if incurred by the Underwriters, or by the Insured with

the prior written consent of the Underwriters; ***

Claims Expenses will not include any salary, overhead, or other charges by the Insured

for any time spent in cooperating in the defense and investigation of any Claim or circumstance

that might lead to a Claim notified under this Policy, or costs to comply with any regulatory

orders, settlements or judgments.

Computer Systems means computers, any software residing on such computers and any

associated devices or equipment:

1. operated by and either owned by or leased to the Insured Organization; or

2. with respect to coverage under the Breach Response and Liability insuring

agreements, operated by a third party pursuant to a written contract with the

Insured Organization and used for the purposes of providing hosted computer

- 12 - Nos. 1-21-1097 & 1-22-0308 (cons.)

application services to the Insured Organization or for processing, maintaining,

hosting or storing the Insured Organization’s electronic data.”

“Damages means a monetary judgment, award or settlement, including any award of

prejudgment or post-judgment interest; but Damages will not include:

9. any amounts for which the Insured is not liable, or for which there is no legal

recourse against the Insured.

Data means any software or electronic data that exists in Computer Systems and that is subject

to regular back-up procedures.

Data Breach means the theft, loss, or Unauthorized Disclosure of Personally Identifiable

Information or Third Party Information that is in the care, custody or control of the Insured

Organization or a third party for whose theft, loss or Unauthorized Disclosure of Personally

Identifiable Information or Third Party Information the Insured Organization is liable.”

“Loss means Breach Response Services, Business Interruption Loss, Claims Expenses,

Criminal Reward Funds, Cyber Extortion Loss, Damages, Data Recovery Costs,

Dependent Business Loss, PCI Fines, Expenses and Costs, Penalties, loss covered under

the eCrime insuring agreement and any other amounts covered under this Policy.”

“Media Liability means one or more of the following acts committed by, or on behalf of, the

Insured Organization in the course of creating, displaying, broadcasting, disseminating or

releasing Media Material to the public:

- 13 - Nos. 1-21-1097 & 1-22-0308 (cons.)

1. defamation, libel, slander, product disparagement, trade libel, infliction of emotional

distress, outrage, outrageous conduct, or other tort related to disparagement or harm to

the reputation or character of any person or organization;

2. a violation of the rights of privacy of an individual, including false light, intrusion upon

seclusion and public disclosure of private facts;

3. invasion or interference with an individual’s right of publicity, including commercial

appropriation of name, persona, voice or likeness;

4. plagiarism, piracy, or misappropriation of ideas under implied contract;

5. infringement of copyright;

6. infringement of domain name, trademark, trade name, trade dress, logo, title, metatag,

or slogan, service mark or service name;

7. improper deep-linking or framing;

8. false arrest, detention or imprisonment;

9. invasion of or interference with any right to private occupancy, including trespass,

wrongful entry or eviction; or

10. unfair competition, if alleged in conjunction with any of the acts listed in parts 5. or 6.

above.

Media Material means any information, including words, sounds, numbers, images or graphics,

but will not include computer software or the actual goods, products or services described,

illustrated or displayed in such Media Material.”

“Personally Identifiable Information means:

- 14 - Nos. 1-21-1097 & 1-22-0308 (cons.)

1. any information concerning an individual that is defined as personal information under

any Breach Notice Law; and

2. an individual’s driver’s license or state identification number, social security number,

unpublished telephone number, and credit, debit or other financial account numbers in

combination with associated security codes, access codes, passwords or PINs; if such

information allows an individual to be uniquely and reliably identified or contacted of

allows access to the individual’s financial account or medical record information.

but will not include information that is lawfully made available to the general public.”

“Security Breach means a failure of computer security to prevent:

1. Unauthorized Access or Use of Computer Systems, including Unauthorized Access or

Use resulting from the theft of a password from a Computer System or from any Insured;

2. a denial of service attack affecting Computer Systems;

3. with respect to coverage under the Liability insuring agreements, a denial of service attack

affecting computer systems that are not owned, operated or controlled by an Insured; or

4. infection of Computer Systems by malicious code or transmission of malicious code from

Computer Systems.”

“Unauthorized Disclosure means the disclosure of (including disclosure resulting from

phishing) or access to information in a manner that is not authorized by the Insured

Organization and is without knowledge of, consent or acquiescence of any member of the

Control Group.” (Emphasis in original).

¶ 33 The policy also excluded certain types of losses. With respect to the gathering or

distribution of information, the policy excluded any loss arising out of “the unlawful collection

- 15 - Nos. 1-21-1097 & 1-22-0308 (cons.)

or retention of Personally Identifiable Information or other personal information by or on

behalf of the Insured Organization;” but the exclusion did not apply to “Claims Expenses

incurred in defending the Insured against allegations of unlawful collection of Personally

Identifiable Information.” The policy also excluded from coverage, under the Media Liability

insuring agreement, “any contractual liability or obligation,” but the exclusion did not apply to

a claim for misappropriation of ideas under implied contract.

¶ 34 The policy further provided that, “[e]xcept with respect to coverage under the Payment

Card Liabilities & Costs insuring agreement, the Underwriters ha[d] the right and duty to

defend any covered Claim or Regulatory Proceeding.”

¶ 35 II. ANALYSIS

¶ 36 On appeal, Remprex contends that Lloyd’s had a duty to defend it in the two underlying

lawsuits that alleged BIPA violations pursuant to two provisions of the policy. The provisions

at issue provided coverage for claims based on the dissemination of information to the public

and for claims based on a loss for which Remprex was liable. Specifically, Remprex argues

that: (1) it stated valid claims for declaratory judgment and breach of contract because Lloyd’s

had a duty to defend under the insurance policy; (2) the circuit court erred in dismissing its

claims merely because Remprex was not named as a defendant in the BNSF lawsuit; and (3)

the circuit court erred in dismissing Remprex’s remaining claims for breach of contract,

violation of the Consumer Fraud Act and common law fraud.

¶ 37 A. Standard of Review

¶ 38 This is an appeal from the circuit court’s grant of a section 2-615 (735 ILCS 5/2-615 (West

2020)) motion to dismiss for failure to state a cause of action. Specifically, Lloyd’s motion to

dismiss contended that the facts alleged by Remprex did not fall, or even potentially fall, within

- 16 - Nos. 1-21-1097 & 1-22-0308 (cons.)

the scope of coverage in the insurance policy it issued to Remprex. A motion to dismiss under

section 2-615 of the Code challenges the legal sufficiency of the complaint by alleging defects

on its face. Omega Demolition Corporation v. The Illinois State Toll Highway Authority, 2022

IL App (1st) 210158, ¶ 36. A court should grant a section 2-615 motion to dismiss only if it is

apparent that the plaintiff cannot prove any set of facts that will entitle it to recover. Board of

Trustees of Community College District No. 502, County of DuPage v. Department of

Professional Regulation, 363 Ill. App. 3d 190, 196 (2006). The question is whether, even

assuming that all well-pleaded facts in the complaint are true, the complaint states a legally

recognized cause of action. Omega Demolition, 2022 IL App (1st) 210158, ¶ 36. In making

this determination, a court will construe the complaint’s allegations in the light most favorable

to plaintiff and draw reasonable inferences in the plaintiff’s favor. Id. An appellate court

reviews a circuit court’s order granting a section 2-615 motion de novo. Id. Additionally, we

may affirm on any basis appearing in the record, whether or not the trial court relied on that

basis or its reasoning was correct. Id.

¶ 39 B. Choice of Law Provision in the Policy

¶ 40 As a preliminary matter, we note that the policy at issue contained a choice of law provision

that designated New York law to apply to disputes. In the absence of a specific choice of law

provision, the general choice of law rules of the forum state control. U.S. Gypsum Co. v.

Admiral Insurance Co., 268 Ill. App. 3d 598, 635 (1994). It is undisputed that the insurance

policy at issue designated New York law to apply to any disputes. Nor is there any dispute

between the parties about the applicability of the choice of law provision contained in the

policy as it relates to Lloyd’s duty to defend. We will therefore apply the parties’ chosen law,

New York, in interpreting this insurance policy.

- 17 - Nos. 1-21-1097 & 1-22-0308 (cons.)

¶ 41 C. New York Contract Interpretation Principles

¶ 42 With respect to the policy, Remprex initially sought declarations that Lloyd’s had a duty

to defend and indemnify, while Lloyd’s contended that it had no duty because coverage under

the policy was not triggered. In an action for a judgment declaring the parties’ rights under an

insurance policy, we must be guided by rules of contract interpretation because an insurance

policy is a contract between the insurer and insured. Westchester Fire Insurance Co. v.

Schorsch, 129 N.Y.S. 3d 67, 74 (2020). Contract interpretation or construction is usually a

court function. Id. Thus, in interpreting an insurance policy, the court must determine the

rights and obligations of the parties, using the specific language of the policy itself. Sunrise

Acupuncture, P.C. v. Kemper Independence Insurance Co., 86 N.Y.S. 3d 710, 712 (2018). To

ascertain the parties’ intent from the language of the insurance contract, the court must construe

the policy as a whole; all pertinent provisions of the policy should be given meaning, with due

regard to the subject matter that is being insured and the purpose of the entire contract.

Westchester, 129 N.Y.S. 3d at 74.

¶ 43 When the language in an insurance policy is clear and unambiguous, the interpretation of

said document and the determination of the rights and obligations of the parties is a question

of law to be adjudicated by the court. Sunrise, d. 86 N.Y.S. 3d at 713. However, if the language

in the policy is ambiguous, the court can use extrinsic evidence to determine the intent of the

parties to the policy and resolution of the rights and obligations of the parties is a question of

fact, to be determined by the trier of fact. Id. If the extrinsic evidence is conclusory, failing to

equivocally resolve the ambiguity in a policy, interpretation of the policy remains a question

of law for the court to decide; deciding any ambiguities against the insurer. Id.

- 18 - Nos. 1-21-1097 & 1-22-0308 (cons.)

¶ 44 When interpreting an insurance policy, the language of the policy, when clear and

unambiguous, must be given its plain and ordinary meaning. Id. The policy should be construed

in such a way “that affords a fair meaning to all of the language employed by the parties in the

contract and leaves no provision without force and effect.” Id. (quoting Raymond Corporation

v. National Union Fire Insurance Co. of Pittsburgh, PA., 5 N.Y. 3d 157, 162 (2005)).

¶ 45 We further note while Remprex sought declarations in the circuit court that Lloyd’s had

both a duty to defend and indemnify under the policy provisions, Remprex has not made any

argument on appeal or cited to any supporting authority with respect to its claims that Lloyd’s

had a duty to indemnify and solely concentrates its arguments on Lloyd’s duty to defend under

the policy. A point not argued or supported by citation to relevant authority fails to satisfy the

requirements of Illinois Supreme Court Rule 341(h)(7) (eff. Oct. 1, 2020). See Lake County

Grading Co., LLC v. Forever Construction Co., Inc., 2017 IL App (2d) 160359, ¶ 83. Since

the issue of whether Lloyd’s had a duty to indemnify Remprex has not been raised in this

appeal, we therefore do not address that issue herein. See Rodgers v. St. Mary’s Hospital of

Decatur, 149 Ill. 2d 302, 309 (1992). We now turn our attention then to the relevant law with

respect to an insurer’s duty to defend.

¶ 46 An insurer’s duty to defend its insured arises whenever the allegations in a complaint state

a cause of action that gives rise to the reasonable possibility of recovery under the policy. Town

of Massena v. Healthcare Underwriters Mutual Insurance Co., 98 N.Y. 2d 435, 443 (2002). If

the allegations of the complaint are even potentially within the language of the insurance

policy, there is a duty to defend. Id. If any of the claims against an insured arguably arise from

a covered event, the insurer is required to defend the whole action. Id. The duty to defend arises

whenever the allegations in a complaint against the insured fall within the scope of the risks

- 19 - Nos. 1-21-1097 & 1-22-0308 (cons.)

undertaken by the insurer and it is immaterial that the complaint against the insured asserts

additional claims which fall outside of the policy’s general coverage or within its exclusory

provisions. Id. at 443-44. When an exclusion clause is relied upon to deny coverage, the burden

rests on the insurance company to demonstrate that the allegations of the complaint can be

interpreted only to exclude coverage. Id. at 444. The merits of the complaint are irrelevant, and

an insured’s right to be accorded legal representation is a contractual right and consideration

upon which his premium is in part predicated, and this right exists even if debatable theories

are alleged in the pleading against the insured. Id. Nonetheless, an insurer can be relieved of

its duty to defend if it establishes as a matter of law that there is no possible factual or legal

basis on which it might eventually be obligated to indemnify its insured under any policy

provision. Cumberland Farms, Inc. v. Tower Group, Inc., 28 N.Y. 3d 1068, 1070 (2016). Thus,

we must consider whether Remprex’s losses were caused by a covered event so as to bring the

losses within the ambit of the policy. See Throgs Neck Bagels, Inc. v. G.A. Insurance Co. of

New York, 671 N.Y.S. 2d 66, 69 (1998).

¶ 47 With these principles in mind, we now turn to the merits of Remprex’s appeal.

¶ 48 D. Lloyd’s Duty to Defend (Counts I and II)

¶ 49 Remprex first contends that it stated valid claims for declaratory judgment and breach of

contract because Lloyd’s had a duty to defend it under the policy. Remprex argues that both

the CN and BNSF lawsuits triggered the duty to defend against claims based on the

dissemination of material to the public, and against claims based on a loss for which Remprex

may be liable. Remprex concludes that when the broad presumptions in favor of coverage are

properly applied and Remprex’s allegations are viewed in the most favorable light, “it is plain

that Remprex has sufficiently set forth allegations arguably triggering Lloyd’s duty to defend”

- 20 - Nos. 1-21-1097 & 1-22-0308 (cons.)

which was the only requirement to survive Lloyd’s motion to dismiss. Remprex maintains that

it sufficiently alleged that Lloyd’s had a duty to defend it under multiple provisions of the

policy, and the circuit court’s order dismissing Remprex’s claims should be reversed. It bears

mentioning that Remprex combined New York law and Illinois law in support of its

contentions. However, as stated above, we will apply New York law pursuant to the choice of

law provision in the insurance policy as we address Remprex’s specific contentions

individually below.

¶ 50 1. Duty to Defend Against the BNSF Complaint, Answer and Subpoena

¶ 51 Remprex contends that Lloyd’s had a duty to defend it against the BNSF complaint,

answer and subpoena under both the Media Liability and Data & Network Liability provisions.

Remprex argues that the BNSF suit alleged that BNSF and its vendors, which included

Remprex, collected and transferred the plaintiff class members’ biometric information; and

BNSF in response to those allegations, claimed that Remprex was the party responsible for the

alleged collection and transfer of that information. Remprex concludes that those allegations,

namely that Remprex violated BIPA by collecting and transferring biometric data, constituted

claims that Remprex disseminated media material to the public, including information

concerning individual’s privacy rights. Similarly, Remprex argues that the BNSF suit alleged,

in one way or another, that the plaintiffs lost their personally identifiable information

(biometric data), and that Remprex was liable for that loss, which was covered under the policy.

We disagree.

¶ 52 As noted above, when interpreting an insurance contract, the court must determine the

rights and obligations of the parties, using the specific language of the policy itself. Sunrise,

86 N.Y.S. 3d at 712. When the language in an insurance policy is clear and unambiguous, the

- 21 - Nos. 1-21-1097 & 1-22-0308 (cons.)

interpretation of said document and the determination of the rights and obligations of the

parties is a question of law to be adjudicated by the court. Id. at 713. Additionally, we must

construe the policy as a whole; all pertinent provisions of the policy should be given meaning,

with due regard to the subject matter that is being insured and the purpose of the entire contract.

¶ 53 In this case, under both the Media Liability and Data & Network Liability provision of the

policy at issue, coverage was provided for “damages and claims expenses, which the insured

was legally obligated to pay because of any claim first made against any insured during the

policy period,” for media liability, a data breach, a security breach, or failure to comply with

that part of a privacy policy that specifically prohibited or restricted the insured’s disclosure,

sharing or selling of personally identifiable information, provided that the insured had such

privacy policy in place. The policy specifically defined a claim as “a written demand received

by any insured for money or services,” and further considered a claim under part one of the

Data & Network Liability coverage (data breach) to include “a demand received by any insured

to fulfill their contractual obligation to provide notice of a data breach pursuant to a breach

notice law.” Relevant to the Data & Network Liability coverage, the policy defines a data

breach as the theft, loss or unauthorized disclosure of personally identifiable information that

is in the care, custody or control of the insured or a third party for whose theft, loss or

unauthorized disclosure of the personally identifiable information the insured is liable. With

respect to Media Liability, the policy lists a series of acts, one or more of which committed by

the insured in the course of creating, displaying, broadcasting, disseminating or releasing

media material to the public. Media material is defined as any information including words,

sounds, numbers, images or graphics, but not the computer software or the actual goods,

- 22 - Nos. 1-21-1097 & 1-22-0308 (cons.)

products or services described, illustrated or displayed in such media material. However, we

find that none of these circumstances were presented by the BNSF lawsuit that would have

triggered Lloyd’s duty to defend Remprex.

¶ 54 First and foremost, Remprex was never named as a defendant in the BNSF complaint, thus

no claim as defined by the policy was ever made against it by Rogers, which would arguably

have formed the basis for any duty to defend under the provisions of the policy. As previously

noted, the BNSF lawsuit has since reached a verdict after a jury trial in October 2022 without

Remprex ever being named as a party. Under the plain language of the policy, there was never

a claim made against Remprex- no written demand for money or services, that would have

triggered the policy’s coverage under either the media liability or data & network liability

provisions. Nor did the BNSF lawsuit fall within the other definition of a claim under the data

& network liability insuring agreement as there was no demand that Remprex fulfill a

contractual obligation to provide notice of a data breach pursuant to a breach notice law as

required by the policy.

¶ 55 Moreover, although Remprex apparently voluntarily participated in certain information-

gathering activities related to the BNSF lawsuit in March 2020, we find that such activities did

not rise to the level of being a named party in the suit with a claim filed against it or the

incurrence of claims expenses as defined by the policy. The policy specifically defined claims

expenses as “all reasonable and necessary legal costs and expenses resulting from the

investigation, defense and appeal of a Claim, if incurred by the Underwriters, or by the

Insured with the prior written consent of the Underwriters.” (Emphasis added). Here, there

was no evidence in the record that Remprex had written consent from Lloyd’s to participate in

any information-gathering activities in the BNSF lawsuit, thus such expenses would not have

- 23 - Nos. 1-21-1097 & 1-22-0308 (cons.)

been covered as claims expenses. This is so, despite language in the policy exclusions section,

which states that claims expenses incurred in defending the insured against allegations of

unlawful collection of personally identifiable information because such activity was not pre-

approved by Lloyd’s, which was a condition precedent under the definition of claims expenses.

¶ 56 Additionally, a review of the BNSF complaint reveals that there were general allegations

made against BNSF and “authorized vendors,” however, such general language did not bring

the BNSF complaint within the definition of a claim as defined by the policy because there

was no written demand received by Remprex for money or services in the BNSF complaint.

We therefore conclude that because Remprex was never named as a defendant nor ever

included in the BNSF lawsuit beyond its voluntary participation in information-gathering

activities related to it, there was no demand made of Remprex for money or services that would

support a claim for coverage under the plain language of the policy. Thus, the policy precludes

coverage and Lloyd’s had no duty to defend against the BNSF complaint.

¶ 57 The same result is reached when considering BNSF’s answer to the complaint, in which it

identified Remprex as an authorized vendor related to matters raised in the complaint. BNSF’s

answer was not a claim made against Remprex within the meaning of the policy because it did

not demand money or services. Although BNSF sent a letter to Remprex after the BNSF

lawsuit was filed requesting indemnification pursuant to their contractual agreement, the policy

specifically excluded any contractual liability or obligation with respect to the media liability

coverage. Apparently, Rempex had a contractual obligation to indemnify BNSF under the

terms of their contract, which would therefore fall outside of the policy’s coverage. Thus,

BNSF’s answer to the complaint in the lawsuit that did not name Remprex as a defendant was

- 24 - Nos. 1-21-1097 & 1-22-0308 (cons.)

not a claim within the plain language of the policy and Lloyd’s had no duty to defend against

the BNSF answer.

¶ 58 With respect to the third-party subpoena received by Remprex from plaintiff Rogers’

counsel in August 2020, the record reveals that Remprex did not submit a claim to Lloyd’s

regarding the subpoena. Remprex had previously submitted its initial request for coverage to

Lloyd’s in June 2019, Lloyd’s denied coverage in November 2019, and Remprex filed this suit

in August 2020. The subpoena, received by Remprex after the denial of coverage by Lloyd’s

was never submitted to Lloyd’s for coverage, and Lloyd’s only learned of the subpoena during

the pendency of the litigation at issue. The policy required the insured to notify the insurer of

any claim or potential claim as soon as practicable, but not later than 90 days after the end of

the policy period. The policy at issue expired on July 30, 2019, thus it was no longer in place

when Remprex received the subpoena more than a year later. Because the subpoena was

received outside of the notice provision under policy, there was no coverage available.

¶ 59 Although Remprex considers the subpoena to be part of its original request for coverage

filed in June 2019, Lloyd’s duty to defend was never triggered because Remprex was not a

named party to the BNSF lawsuit and there was no claim filed against it.. Thus, the subpoena

was also not covered as it did not fall within the policy’s effective dates or within 90 days after

its expiration.

¶ 60 We therefore conclude that, despite Remprex’s efforts to persuade us to the contrary, the

policy did not cover any aspect of the BNSF lawsuit as Remprex was not a party to it and there

was no claim for damages or demand for services made against Remprex in the BNSF lawsuit.

We decline to discuss any other aspects of the policy specifics in reference to the BNSF lawsuit

as we believe our conclusion fully disposes of the issue. Accordingly, we find that Lloyd’s

- 25 - Nos. 1-21-1097 & 1-22-0308 (cons.)

section 2-615 motion was properly granted with respect to the BNSF lawsuit because, even

assuming that all well-pleaded facts in the declaratory judgment complaint are true, Remprex’s

complaint fails to state a cause of action against Lloyd’s for coverage as there was no duty to

defend in the BNSF lawsuit. Omega Demolition Corporation, 2022 IL App (1st) 210158, ¶ 36.

The circuit court thus properly dismissed counts I and II as they pertain to the BNSF lawsuit.

¶ 61 2. Duty to Defend Against the CN Complaint

¶ 62 Remprex also contends that Lloyd’s had a duty to defend it against the CN complaint under

both the media liability and data & network liability coverage in the policy. It is uncontroverted

that Remprex was a named defendant in the CN complaint and that a monetary demand was

made in the prayer for relief, thereby satisfying the policy definition of a claim. Our question

then becomes whether Remprex’s claim was caused by a covered event so as to bring its losses

within the ambit of the policy. Throgs Neck Bagels, 671 N.Y.S. 2d at 69. We note again that

while Remprex was initially named in the CN complaint, Remprex filed a successful motion

to dismiss, and the plaintiff voluntarily dismissed Remprex from the suit in November 2019,

approximately four months after filing the complaint.

¶ 63 a. Coverage Under the Media Liability Provision

¶ 64 With respect to the media liability coverage, as it has maintained in all of its pleadings

related to this case, Remprex argues that the CN lawsuit involved allegations that Remprex

disseminated media material to the public, including information violating individuals’ privacy

rights under BIPA, which was collected and transferred to third parties. Remprex insists that

Lloyd’s interpretation of the policy language “to the public” as meaning the community at

large is too narrow and limits the scope of the provision is ways that were not intended by the

- 26 - Nos. 1-21-1097 & 1-22-0308 (cons.)

policy. Remprex contends that the word “public” as used in the policy is ambiguous and that

the public could include a limited group.

¶ 65 In order to determine whether the Media Liability provision of the policy applied and thus

triggered Lloyd’s duty to defend, we must first examine the type of information that was

alleged to be captured or collected, and whether that type of information was covered by the

policy.

¶ 66 The CN complaint alleged that the named defendants collected and transferred the

individual’s fingerprints in violation of Illinois’ BIPA law. BIPA requires that an individual

be informed and provide a release before any biometric information is captured or collected.

See Watson v. Legacy Healthcare Financial Services, LLC, 2021 IL App (1st) 210279, ¶ 53.

Under BIPA, “biometric information” is defined as “any information, regardless of how it is

captured, converted, stored, or shared, based on an individual’s biometric identifier used to

identify an individual.” 740 ILCS 14/10 (West 2018); Mosby v. Ingalls Memorial Hospital,

2022 IL App (1st) 200822, ¶ 47. BIPA further defines “biometric identifiers” as “a retina or

iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Id. In the underlying CN

complaint, it was alleged that the plaintiffs’ fingerprint information was collected and stored

without permission. There is no dispute that any collection and transfer of an individual’s

fingerprints without informing them and procuring a release would be a violation of BIPA.

¶ 67 However, the crux of our issue is whether an alleged violation of BIPA, as outlined in the

CN complaint, triggered the media liability coverage under the policy.

¶ 68 As noted above, the policy specifically defines media liability as one or more of

enumerated acts committed by or on behalf of the insured in the course of creating, displaying,

broadcasting, disseminating or releasing media material to the public. As detailed above, the

- 27 - Nos. 1-21-1097 & 1-22-0308 (cons.)

policy then goes on to outline specific acts that fall within the scope of coverage. The policy

also defines media material as any information, including words, sounds, numbers, images or

graphics. The parties do not appear to dispute whether fingerprints are considered media

material as defined in the policy.

¶ 69 Remprex focuses its argument on the dissemination to the public requirement for

coverage, maintaining that the policy did not define “public,” and it is thus an ambiguous term.

Remprex argues that Lloyd’s uses a narrow definition of public and maintains that “public”

can apply to information shared between itself and one other entity. To the contrary, we find

that under the circumstances presented here, dissemination to the counterparty of the

agreement to collect such information was not reasonably anticipated under the policy to

constitute “public.”

¶ 70 The construction and interpretation of an unambiguous written contract is an issue of law

within the province of the court, as is the inquiry of whether the writing is ambiguous. Palombo

Group v. Poughkeepsie City School District, 3 N.Y.S. 3d 390, 392 (2015). If the language is

free from ambiguity, its meaning may be determined as a matter of law on the basis of the

writing alone without resort to extrinsic evidence. Id. The contract language in an insurance

policy is to be read in light of common speech and interpreted according to the reasonable

expectations and purposes of ordinary businesspeople when making ordinary business

contracts. Heartland Brewery, Inc. v. Nova Casualty Co., 52 N.Y.S. 3d 55, 57 (2017). Before

the rules governing the construction of ambiguous contracts are triggered, the court must first

find an ambiguity. Elletson v. Bonded Insulation Co. Inc., 708 N.Y.S. 2d 511, 513 (2000). An

ambiguity does not exist simply because the parties urge different interpretations or where one

party’s view strains the contract language beyond its reasonable and ordinary meaning. Id.

- 28 - Nos. 1-21-1097 & 1-22-0308 (cons.)

¶ 71 In this case, we find that the term “to the public” is not ambiguous, despite Remprex’s

arguments to the contrary. Merriam-Webster Dictionary defines public as “exposed to general

view.” https://www.merriam-webster.com/dictionary/public (accessed February 8, 2023). In

reading the policy’s use of the term “to the public” within the media liability definition, in

context with the types of acts that would constitute media liability, it is clear that the policy

intends for coverage to attach to actions that were intended for general view. For example, the

policy defines media liability as one or more of the following acts in the course of creating,

displaying, broadcasting, disseminating or releasing media material to the public: defamation,

libel, slander or other tort related to the disparagement or harm to the reputation or character

of any person or organization; plagiarism; copyright infringement; and invasion of or

interference with any right to private occupancy, to name a few. These types of acts clearly

anticipate that such media material has to be exposed to general view such that they would

harm an individual or organization in order for coverage to apply. No such acts were included

in the CN complaint’s allegations against Remprex- there was no allegation that Remprex

disseminated or released the plaintiff’s biometric data to general view, only that it was shared

between Remprex and the various railroad entities named within the suit. We therefore

conclude that the use of “public” in the policy is not ambiguous and should be given its plain

and ordinary meaning. Applying the plain and ordinary meaning to the language of the policy,

it is clear that the allegations of the CN complaint did not allege that Remprex disseminated

any media material to the public.

¶ 72 Aside from disseminating media material to the public, however, the policy also defines

media liability as violating an individual’s right to privacy during the “course of creating media

material.” As noted above, the parties do not appear to dispute whether fingerprints are

- 29 - Nos. 1-21-1097 & 1-22-0308 (cons.)

considered media material. Nor is there any dispute that the CN lawsuit alleged that Remprex

created such media material, which would thus fall or potentially fall within coverage under

the policy. However, that does not end our inquiry.

¶ 73 It bears noting that the policy also contains language excluding losses arising from the

unlawful collection or retention of personally identifiable information or other personal

information by or on behalf of the insured organization. Nevertheless, the exclusion contains

an exception, indicating that the exclusion is not applicable to claims expenses incurred in

defending the insured against allegations of the unlawful collection of personally identifiable

information. That is precisely what the CN complaint accused Remprex of doing: unlawfully

collecting the plaintiffs’ fingerprints. As such, we find that there was coverage under the policy

for the claims expenses related to defending against the CN lawsuit. As noted, the CN

complaint was filed on July 26, 2019, and Remprex was not dismissed from the lawsuit until

November 24, 2019. Under the terms of the policy, Remprex was entitled to coverage for its

claims expenses incurred in defending against the CN lawsuit.

¶ 74 Accordingly, we find that the trial court erred in denying coverage for the claims expenses

that Remprex incurred in defending against the CN lawsuit based on its allegations that it

unlawfully collected the CN plaintiffs' fingerprints. We therefore remand to the circuit court

for a determination of those claims expenses due to Remprex.

¶ 75 b. Coverage Under the Data & Network Liability Provision

¶ 76 Remprex makes a similar argument with respect to its claim for coverage under the data &

network liability provisions of the policy. Remprex asserts that the policy requires Lloyd’s to

defend Remprex for a “data breach,” defined as any theft, loss or unauthorized disclosure of

personally identifiable information *** that is in the care, custody or control of [Remprex] or

- 30 - Nos. 1-21-1097 & 1-22-0308 (cons.)

a third party for whose theft, loss, or unauthorized disclosure of personally identifiable

information [Remprex] is liable.” Remprex argues that “in some way or another,” the CN suit

alleges that plaintiffs lost their personally identifiable information and that Remprex is liable

for that loss, which makes the claim covered under the policy. Remprex contends that there is

no question that the biometric data constitutes personally identifiable information under the

policy, and further that the suit alleges a “loss” for which it is liable. Remprex makes a

convoluted argument that the word “loss” with a lowercase “l” is different than the policy’s

defined term “Loss” with a capital “L,” thus making the term ambiguous and seeks to employ

extrinsic evidence to define the term.

¶ 77 As noted above, the data & network liability section of the policy provided, in pertinent

part, that it would pay damages and claims expenses, which the insured was legally obligated

to pay because of any claim made against the insured during the policy period for a data breach;

a security breach; the insured’s failure to timely disclose a data or security breach; failure by

the insured to comply with that part of a privacy policy that specifically prohibited or restricted

the insured’s disclosure; and, the sharing or selling of personally identifiable information

(provided that the insured had such privacy policy in place). The policy defined data breach as

any software or electronic data that exists in computer systems and was subject to regular back-

up procedures. A data breach was defined as the theft, loss, or unauthorized disclosure of

personally identifiable information or third party information that was in the care, custody or

control of the insured or a third party for whose theft, loss or unauthorized disclosure the

insured was liable. The policy also defined what constituted a loss. Personally Identifiable

Information was defined as any information concerning an individual that was defined as

personal information under any breach notice law; and an individual’s driver’s license or state

- 31 - Nos. 1-21-1097 & 1-22-0308 (cons.)

identification number, social security number, unpublished telephone number, and credit, debit

or other financial account numbers in combination with associated security codes, access

codes, passwords or PINs, provided such information allows an individual to be uniquely and

reliably identified or contacted or allows access to the individual’s financial account or medical

record information. It did not, however, include information that is lawfully made available to

the general public. Finally, a security breach was defined as a failure of computer security to

prevent unauthorized access or use of a computer system, including that which occurred from

the theft of a password from a computer system or any insured; a denial of service attack

affecting computer systems; with respect to coverage under the Liability insuring agreements,

a denial of service attack affecting computer systems that are not owned, operated or controlled

by an insured; or the infection of computer systems by malicious code or transmission of

malicious code from computer systems.

¶ 78 A plain reading of the terms of the data & network liability coverage section of the policy

as well as the relevant definition sections establish that the alleged violation of BIPA in the

CN complaint do not fall, or potentially fall within this section of the policy. While it is true

that fingerprint biometric data is personally identifiable information, the collection and storage

of it without the individual’s permission does not appear to fall under this section of the policy.

Contrary to Remprex’s argument, the CN complaint does not allege that such biometric data

was stolen or shared with the public; rather, the complaint alleged that the named defendants

played a part in collecting and sharing such data with one another without permission in

violation of BIPA. The relevant policy section appears to apply primarily to third-party

breaches of the insured’s computer systems which in turn exposes the stored personal

information to unauthorized persons. Remprex’s attempts to bring the allegations of the CN

- 32 - Nos. 1-21-1097 & 1-22-0308 (cons.)

complaint under the data & network coverage of the policy, while certainly creative, are

without merit. The CN complaint contained no allegations that an unauthorized third party

accessed individuals’ personal information and shared it with the public, instead it merely

alleged that the named parties engaged in the unauthorized collection of their personal

information without their consent, which in turn is a violation of BIPA. We therefore conclude

that Lloyd’s had no duty to defend pursuant to the data & network provision of the policy.

¶ 79 We do not reach a discussion of whether there is a difference between loss with a lowercase

“l” or uppercase “L” as we believe the plain language of the policy is dispositive of the issue.

¶ 80 D. Breach of Contract (Count II)

¶ 81 Remprex also contends that Lloyd’s breached the contract of insurance by refusing to

provide coverage for the CN and BNSF lawsuits. However, to the contrary, our conclusion that

there was no coverage for the BNSF lawsuit means that Lloyd’s had no duty to defend it and

thus there was no breach of contract by its failure to do so. Consequently, the section 2-615

motion to dismiss was properly granted as to count II regarding the BNSF lawsuit.

¶ 82 With respect to the CN lawsuit, because we have found limited coverage for the claims

expenses incurred by Remprex in defending against the CN lawsuit, we also find that Remprex

has sustained its breach of contract claim for the CN lawsuit. However, in the context of

insurance liability litigation, Remprex’s damages related to a breach of the duty to defend are

limited to the cost to the insured of defending itself. East Ramapo Central School District v.

New York School Insurance Reciprocal, 158 N.Y.S. 3d 173, 179 (2021).

¶ 83 E. Bad Faith (Count III) and Vexatious and Unreasonable Conduct (Count IV)

¶ 84 Remprex further alleged in count III of its first amended complaint that Lloyd’s denied its

claims “without conducting a reasonable investigation based on all available information as

- 33 - Nos. 1-21-1097 & 1-22-0308 (cons.)

required under Illinois law.” Specifically, Remprex takes issue with the time it took Lloyd’s to

“analyze and prepare its denial letter to Remprex’s request for coverage of the CN [and BNSF]

lawsuit[s].” Additionally, in Count IV, Remprex alleged that Lloyd’s conduct in denying

coverage was vexatious and unreasonable under Illinois law, which entitled it to attorney’s

fees under section 155 of the Insurance Code (215 ILCS 5/155 (West 2020)). We disagree.

¶ 85 Remprex’s claims of bad faith and vexatious and unreasonable conduct go hand in hand.

Section 155 provides an extracontractual remedy intended to make suits by policyholders

economically feasible and punish insurance companies for misconduct. McGee v. State Farm

Fire & Casualty Co., 315 Ill. App. 3d 673, 681 (2000). Thus, the key question in a section 155

claim is whether an insurer’s conduct is vexatious and unreasonable. Id. To state a claim under

section 155, the insured must plead some factual support and cannot merely allege that the

insurer’s conduct was vexatious and unreasonable. Id. Whether a delay is vexatious and

unreasonable is a question of fact that must be assessed based on the totality of the

circumstances, taken in broad focus. Nine Group II, LLC v. Liberty International Underwriters,

Inc., 2020 IL App (1st) 190320, ¶ 41. No single factor is controlling. Id. In examining the

circumstances, courts have considered the insurer’s attitude, whether the insured was forced to

file suit to recover, and whether the insured was denied the use of its property. Id. Additional

considerations include whether there is a bona fide dispute concerning coverage, the extent of

the insurance company’s evaluation and investigation of the claim, and the adequacy of the

communications between the insurance company and the insured. Id. Section 155 costs and

sanctions are inappropriate when a bona fide dispute regarding coverage exists. Id. ¶ 44. Bona

fide is defined as real, actual, genuine, and not feigned. Id. Where an insurer reasonably relies

upon evidence sufficient to form a bona fide dispute, the insurer has not acted unreasonably

- 34 - Nos. 1-21-1097 & 1-22-0308 (cons.)

and vexatiously under section 155. Id. Nor is an insurer liable for a violation of section 155

when it takes a reasonable but erroneous position on its coverage obligations where its position

is at least arguable. Evergreen Real Estate Services, LLC v. Hanover Insurance Co., 2019 IL

App (1st) 181867, ¶ 38. The granting of attorney fees and penalties pursuant to section 155 is

usually entrusted to the sound discretion of the trial court but when section 155 fees and costs

are awarded as a judgment on the pleadings, the standard of review is de novo. Statewide

Insurance Co. v. Houston General Insurance Co., 397 Ill. App. 3d 410, 425 (2009).

¶ 86 We find that Remprex has not sufficiently alleged that Lloyd’s actions were vexatious and

unreasonable. The conduct in question that was alleged by Remprex to constitute bad faith and

vexatious behavior, namely the delay in processing the claims could reasonably demonstrate

just the opposite- the amount of time 3 that Lloyd’s took to analyze the claim and determine

whether there was policy coverage could support the inference that instead of immediately

denying the claim, Lloyd’s fully researched it to ensure that coverage would not be unfairly

withheld. Additionally, Lloyd’s denial of coverage was based on a bona fide dispute as to

coverage; indeed, it is that dispute that got us here. Such bona fide dispute cannot support

Remprex’s claims of bad faith and vexatious and unreasonable behavior that would entitle it

to section 155 attorney fees. Accordingly, Remprex’s claims of bad faith and vexatious and

unreasonable conduct were properly dismissed.

¶ 87 F. Violations of the Illinois Consumer Fraud Act (Count V)

3 Remprex filed its initial claim for the BNSF case in June 2019 which Lloyd’s denied in November 2019, only five months later. Discussions continued until April 2020 and Remprex filed the within case in August 2020.

- 35 - Nos. 1-21-1097 & 1-22-0308 (cons.)

¶ 88 Remprex further alleged in count V that Lloyd’s conduct was a violation of the Consumer

Fraud Act (815 ILCS 505/2 (West 2020)) by engaging in unfair and deceptive acts and

practices and arbitrarily denying claims without basis. We find that these counts were properly

dismissed by the circuit court.

¶ 89 The Consumer Fraud Act is a regulatory and remedial statute that is intended to protect

consumers, borrowers, and businesspersons against fraud, unfair methods of competition, and

other unfair and deceptive business practices. Robinson v. Toyota Motor Credit Corp., 201 Ill.

2d 403, 416-17 (2002). It makes it unlawful to engage in any unfair or deceptive acts or

practices, including but not limited to the use of any deception, fraud, false pretense, false

promise, misrepresentation or the concealment, suppression or omission of any material fact,

with intent that others rely on it in the conduct of any trade or commerce. 815 ILCS 505/2

(West 2020). To establish a violation under the Act, a plaintiff must establish: (1) a deceptive

act or practice by the defendant; (2) the defendant's intent that the plaintiff rely on the

deception; (3) the occurrence of the deception during a course of conduct involving trade or

commerce; and (4) the consumer fraud proximately caused the plaintiff's injury. White v.

Daimler Chrysler Corp., 368 Ill. App. 3d 278, 283 (2006). To establish a claim under the

Consumer Fraud Act, a plaintiff must show that (1) defendant committed a deceptive act or

practice; (2) defendant intended for plaintiff to rely on the deception; (3) the deception occurred

in the course of conduct involving trade or commerce; (4) plaintiff suffered actual damages;

and (5) plaintiff's damages were proximately caused by defendant's deceptive conduct. DOD

Technologies v. Mesirow Insurance Services, Inc., 381 Ill. App. 3d 1042, 1050-51 (2008). A

complaint alleging a consumer fraud violation must be pled with the same particularity as that

required under common law fraud. Id.

- 36 - Nos. 1-21-1097 & 1-22-0308 (cons.)

¶ 90 Here, Remprex’s first amended complaint alleged that Lloyd’s engaged in unfair and

deceptive acts and practices by creating through its advertising the expectation among

prospective insureds that media liability claims would be covered; selling policies purporting

to cover media liability; and then arbitrarily and without basis denying coverage for such

claims. The record does not support Remprex’s allegations- Lloyd’s policy did provide

coverage for media liability as defined within the policy purchased by Remprex and Remprex’s

claims were not arbitrarily denied without a basis. We have determined that the policy provided

no coverage for Remprex’s claim for the BNSF lawsuit, and further that the policy provided

limited coverage for Remprex’s claim for the CN lawsuit. We have also determined that there

was no bad faith or vexatious and unreasonable conduct in Lloyd’s handling of the claims as

there was a bona fide dispute as to coverage. We find that Remprex has not sustained its burden

in raising a claim under the Consumer Fraud Act. Thus, its claim was properly dismissed.

¶ 91 G. Common Law Fraud (Count VI)

¶ 92 In count VI of the first amended complaint, Remprex alleged that Lloyd’s “engaged in

fraudulent acts and practices by creating through its advertising the expectation among

prospective insureds that Media Liability claims would be cover[ed]; selling policies

purporting to cover Media Liability claims; and then arbitrarily and without basis denying

coverage for such claims.” Remprex further alleged that Lloyd’s engaged in these practices

with the intent to deceive insureds, and that Remprex relied on those practices to its detriment.

¶ 93 We conclude that Remprex’s claim of common law fraud fails because it did not satisfy

the elements of common law fraud. The elements of common-law fraud are a material

misrepresentation of an existing fact, made with knowledge of the falsity, an intent to induce

reliance thereon, justifiable reliance upon the misrepresentation, and damages. Kastin v.

- 37 - Nos. 1-21-1097 & 1-22-0308 (cons.)

GEIGO General Insurance Co., 140 N.Y.S. 3d 521, 523 (2021). Where a cause of action is

based on a misrepresentation or fraud, the circumstances constituting the wrong shall be stated

in detail. Id.

¶ 94 To start, Remprex fails to satisfy the requirement that there must be a false statement of

material fact. Here, the fact that Lloyd’s provided coverage for media liability in its policy was

not a false statement; there was no issue raised as to whether Lloyd’s provided that type of

coverage. The only issue raised here was whether the claims made by Remprex fell or

potentially fell within the scope of that coverage, which Lloyd’s concluded that it did not and

denied coverage under the policy. Remprex does not allege any additional facts to support this

element, and such failure is fatal to its claim. We therefore affirm the dismissal of count VI. 4

¶ 95 CONCLUSION

¶ 96 In conclusion, we affirm the portion of the circuit court’s 2-615 dismissal as to all claims

related to the BNSF lawsuit and counts III through VI. We reverse the circuit court’s finding

that there was no coverage under the CN lawsuit, finding that there was coverage for

Remprex’s claims expenses incurred in defending the CN lawsuit. We therefore remand for a

calculation of Remprex’s claims expenses due under the policy’s coverage.

¶ 97 Affirmed in part; reversed in part; remanded with directions.

4 As stated above, since the issue of whether Lloyd’s had a duty to indemnify Remprex has not been raised in this appeal, we do not address that issue here. See Rodgers v. St. Mary’s Hospital of Decatur, 149 Ill. 2d 302, 309 (1992).

- 38 -