2024 IL App (1st) 231712 No. 1-23-1712 Opinion filed September 10, 2024 Second Division ______________________________________________________________________________
IN THE APPELLATE COURT OF ILLINOIS FIRST DISTRICT ______________________________________________________________________________ TONY’S FINER FOODS ENTERPRISES, INC., ) Appeal from the ) Circuit Court of Plaintiff-Appellee, ) Cook County. ) v. ) No. 22 CH 9420 ) CERTAIN UNDERWRITERS AT LLOYD’S, LONDON, ) Subscribing to Policy Nos. MPL2183838.18 and ) MPL2183838.19, ) Honorable ) Joel Chupack, Defendants-Appellants. ) Judge, presiding.
PRESIDING JUSTICE VAN TINE delivered the judgment of the court, with opinion. Justice D.B. Walker concurred in the judgment and opinion. Justice Reyes dissented, with opinion.
OPINION
¶1 Defendants Certain Underwriters at Lloyd’s, London, subscribing to policy Nos.
MPL2183838.18 and MPL2183838.19 (Lloyd’s), appeal from the circuit court’s grant of summary
judgment in favor of plaintiff Tony’s Finer Foods Enterprises, Inc. (Tony’s). The circuit court
ruled that Lloyd’s has a duty to defend Tony’s in an underlying class action filed against Tony’s
by its employees, which alleges violations of the Biometric Information Privacy Act (Act) (740 No. 1-23-1712
ILCS 14/1 et seq. (West 2018)). On appeal, Lloyd’s argues that it has no duty to defend Tony’s
because (1) the allegations of the underlying Act lawsuit do not even potentially fall within the
coverage of the insurance policy at issue and (2) Tony’s did not timely report the underlying Act
lawsuit to Lloyd’s. For the following reasons, we reverse and remand with directions that the
circuit court enter summary judgment in Lloyd’s favor on the issue of duty to defend.
¶2 I. BACKGROUND
¶3 A. The Underlying Act Lawsuit
¶4 On December 19, 2018, Charlene Figueroa filed a class action lawsuit against Tony’s and
on April 19, 2019, she filed the amended complaint that is relevant to this appeal. 1 Figueroa alleged
that she worked for Tony’s from March 8, 2017, to September 17, 2018. During that time, Tony’s
required employees to scan their fingerprints to clock in and out of work. Employees used
fingerprint recognition software provided by a timekeeping company called Kronos, which also
maintained a database of employees’ fingerprints. Figueroa alleged that Tony’s violated the Act
by failing to (1) publish a schedule for the permanent deletion of employees’ biometric data (id.
§ 15(a)), (2) obtain employees’ consent to the collection of their biometric data and provide a
written disclosure explaining why and for how long Tony’s retained their biometric data (id.
§ 15(b)), and (3) obtain employees’ consent to disclose their biometric data to Kronos and other
unknown third parties (id. § 15(d)(1)). 2 Figueroa served Tony’s in the underlying Act lawsuit on
1 Figueroa’s original and amended complaints are largely the same, but the amended complaint controls because it does not refer to or adopt the original complaint. See Eberhardt v. Village of Tinley Park, 2024 IL App (1st) 230139, ¶ 86 (citing Bowman v. County of Lake, 29 Ill. 2d 268, 272 (1963)). The primary difference between the two pleadings is that the original complaint alleged one count for violation of the Act and one count for negligence whereas the amended complaint alleges three counts for violation of the Act and no negligence count. 2 Figueroa has never named Kronos as a defendant.
-2- No. 1-23-1712
January 8, 2019. Tony’s tendered the Act complaint to Lloyd’s on March 22, 2019, seeking defense
and indemnification in the underlying lawsuit pursuant to two insurance policies that Tony’s
purchased from Lloyd’s.
¶5 B. The Insurance Policies
¶6 Lloyd’s issued two insurance policies to Tony’s, both titled “Cyber, Data Risk, and Media
Insurance.” The first policy ran from March 15, 2018, to March 15, 2019 (2018 policy), and the
second policy ran from March 15, 2019, to March 15, 2020 (2019 policy). The two policies are
essentially identical except for the periods of time they covered, so we will discuss them as a single
policy unless a distinction between the two is necessary.
¶7 Relevant here, the policy provides coverage for “loss incurred by [Tony’s] *** resulting
from a data breach, security failure, or extortion threat that first occurs on or after the retroactive
date and is discovered by [Tony’s] during the policy period.” Loss includes “claim expenses,
damages, and PCI fines and assessments because of a claim made against [Tony’s].” The policy
sets out the following definitions:
“Data breach means the acquisition, access, or disclosure of personally identifiable
information or confidential corporate information by a person or entity, or in a manner, that
is unauthorized by [Tony’s].
***
Extortion threat means a threat from a third-party to commit an intentional attack
against [Tony’s] website or computer systems or publicly disclose confidential corporate
information or personally identifiable information misappropriated from [Tony’s] if
money, securities, or other property of value is not paid.
-3- No. 1-23-1712
Security failure means any failure by [Tony’s] or by others on [Tony’s] behalf
(including [Tony’s] subcontractors, outsourcers, or independent contractors) in securing
[Tony’s] computer system.”
¶8 The policy excludes certain claims from coverage. Relevant here, an exclusion provision
states that:
“This policy does not apply to and [Lloyd’s] will have no obligation to pay any loss,
damages, claim expenses, or other amounts:
1. based upon or arising out of any actual or alleged:
a. collection of information by [Tony’s] (or others on [Tony’s] behalf)
without the knowledge or permission of the persons to whom such information
relates; however, this exclusion will not apply if no board member, trustee, director,
or officers (or equivalent position) of [Tony’s] knew or had reason to know of such
conduct; or
b. use of personally identifiable information by [Tony’s] (or others on
[Tony’s] behalf) in violation of law.”
-4- No. 1-23-1712
¶9 C. This Declaratory Action
¶ 10 Lloyd’s denied coverage on June 6, 2019, based on Tony’s failure to notify Lloyd’s of the
underlying Act lawsuit during the 2018 policy period. According to Lloyd’s, the policy required
such notice to trigger coverage. On September 22, 2022, Tony’s filed this declaratory judgment
action against Lloyd’s, alleging that Lloyd’s had a duty to defend Tony’s in the underlying Act
lawsuit. 3 The parties filed cross-motions for summary judgment. Tony’s motion argued that
Lloyd’s was not permitted to flatly deny coverage; rather, Lloyd’s had to either (1) defend the
underlying Act lawsuit pursuant to a reservation of rights or (2) seek its own declaratory judgment
that it had no duty to defend. Lloyd’s motion contended that Tony’s failed to provide notice of the
underlying Act lawsuit to Lloyd’s during the 2018 policy period. Lloyd’s also argued that the
allegations of the underlying Act lawsuit did not even potentially fall within the coverage
provisions of the insurance policy.
¶ 11 The circuit court granted summary judgment in Tony’s favor. The court found that Lloyd’s
had a duty to defend Tony’s because the allegations of the underlying Act lawsuit potentially fell
within the policy’s coverage. The record is void of any reason for this conclusion. The court also
found that Lloyd’s was estopped from asserting policy defenses because Lloyd’s failed to defend
Tony’s in the underlying Act lawsuit pursuant to a reservation of rights and failed to file its own
declaratory action. Lloyd’s filed a motion to reconsider, which the circuit court denied.
¶ 12 Lloyd’s timely appealed.
3 Tony’s initially named “Hiscox Inc.” as the insurance provider defendant in this declaratory judgment action. Lloyd’s brought this error to the circuit court’s attention and the court amended the caption to replace “Hiscox Inc.” with Lloyd’s.
-5- No. 1-23-1712
¶ 13 II. ANALYSIS
¶ 14 Lloyd’s argues that the circuit court erred in granting summary judgment for Tony’s
because (1) the allegations of the underlying Act lawsuit do not even potentially fall within the
insurance policies’ coverage and (2) Tony’s did not report the underlying Act lawsuit to Lloyd’s
during the 2018 policy period.
¶ 15 Summary judgment should be granted when the pleadings, admissions, depositions, and
affidavits on file, viewed in the light most favorable to the nonmovant, establish that there is no
genuine issue of material fact, and that the movant is entitled to judgment as a matter of law. 735
ILCS 5/2-1005(c) (West 2018); Thounsavath v. State Farm Mutual Automobile Insurance Co.,
2018 IL 122558, ¶ 15. We review the circuit court’s grant of summary judgment de novo
(Thounsavath, 2018 IL 122558, ¶ 16), meaning that we perform the same analysis as the circuit
court (Galarza v. Direct Auto Insurance Co., 2022 IL App (1st) 211595, ¶ 33). We also review
this matter de novo because it involves the interpretation of insurance policies, a task that concerns
questions of law. See West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2021 IL
125978, ¶ 30.
¶ 16 When interpreting an insurance policy, a court’s primary objective is to ascertain and give
effect to the intentions of the parties as expressed by the language of the policy. Valley Forge
Insurance Co. v. Swiderski Electronics, Inc., 223 Ill. 2d 352, 362 (2006). If the policy language is
unambiguous, we enforce it as written unless doing so would violate public policy. Schultz v.
Illinois Farmers Insurance Co., 237 Ill. 2d 391, 400 (2010). But if the policy language is
susceptible to more than one meaning, then it is ambiguous, and we must construe it strictly against
the insurer. Pekin Insurance Co. v. Wilson, 237 Ill. 2d 446, 456 (2010). Additionally, we construe
-6- No. 1-23-1712
provisions that limit or exclude coverage liberally in favor of the insured and against the insurer.
Id. We also construe the policy as a whole and account for the type of insurance purchased, the
nature of the risks involved, and the overall purpose of the policy. Id.
¶ 17 As an initial matter, Tony’s argues that Lloyd’s refusal to defend the underlying Act lawsuit
was a breach of the duty to defend; therefore, Lloyd’s is estopped from raising any coverage
defenses. When an insured party tenders defense of a claim to its insurer and the insurer believes
that the claim is not covered by the insurance policy, the insurer cannot “simply refuse to defend
the insured.” Employers Insurance of Wausau v. Ehlco Liquidating Trust, 186 Ill. 2d 127, 150
(1999). Rather, the insurer must either (1) defend the underlying lawsuit under a reservation of
rights or (2) seek a declaratory judgment that no coverage exists under the terms of the policy. Id.
If the insurer does not take either of these actions and is later found to have wrongfully denied
coverage, it has breached its duty to defend. Id. at 150-51. As a result, the insurer is estopped from
later asserting any policy defenses to coverage, even if those defenses may have been successful
in the absence of the breach. Id. at 151-52. However, estoppel applies only when an insurer
breached its duty to defend, so a court must first determine whether the insurer has a duty to defend
and whether it breached that duty. Id. at 151.
¶ 18 We evaluate an insurer’s duty to defend by comparing the allegations of the underlying
complaint to the language of the insurance policy. Uhlich Children’s Advantage Network v.
National Union Fire Co. of Pittsburgh, 398 Ill. App. 3d 710, 716 (2010). If the allegations of the
underlying complaint potentially fall within the policy’s coverage, the insurer is obligated to
defend the insured even if the allegations of the underlying lawsuit are groundless or false. Id.
-7- No. 1-23-1712
¶ 19 Tony’s has the burden of demonstrating that the facts alleged in the underlying Act
complaint potentially fall within coverage of the policies at issue. See Addison Insurance Co. v.
Fay, 232 Ill. 2d 446, 453 (2009).
¶ 20 The underlying Act complaint alleges that Tony’s required Figueroa and other employees
to scan their fingerprints into a database maintained by Kronos and to use Kronos’s fingerprint
recognition software to clock in and out of work. The complaint alleges that Tony’s violated the
Act by failing to (1) inform employees of the purpose and length of time for which their biometric
data was being collected, stored, used, and disseminated, (2) publish a retention schedule for the
permanent deletion of employees’ biometric data, and (3) obtain releases from employees
authorizing the collection, storage, usage, and dissemination of their biometric data. The complaint
alleges that Tony’s “improperly disclose[d] [its] employees’ biometric data to at least one third-
party, Kronos, and likely others,” who are “currently unknown.” The complaint alleges that Tony’s
violated subsections (a), (b), and (d) of section 15 of the Act (740 ILCS 14/15(a), (b), (d) (West
2018)) for, respectively, failing to publish a schedule for the deletion of biometric data, failing to
obtain employees’ written consent to collect their biometric data, and disclosing biometric data
without employees’ consent.
¶ 21 The insurance policy at issue provides coverage for losses incurred by Tony’s resulting
from “a data breach, security failure, or extortion threat.” “[D]ata breach” means “the acquisition,
access, or disclosure of personally identifiable information or confidential corporate information
by a person or entity, or in a manner, that is unauthorized by [Tony’s].” “[S]ecurity failure” means
“any failure by [Tony’s] or by others on [Tony’s] behalf (including [Tony’s] subcontractors,
outsourcers, or independent contractors) in securing [Tony’s] computer system.” “[E]xtortion
-8- No. 1-23-1712
threat” means “a threat from a third-party to commit an intentional attack against [Tony’s] website
or computer systems or publicly disclose confidential corporate information or personally
identifiable information misappropriated from [Tony’s] if money, securities, or other property of
value is not paid.”
¶ 22 We find that the allegations of the underlying Act lawsuit do not even potentially fall within
the policy’s coverage. The policy provides coverage for Tony’s losses resulting from a data breach
or security failure. 4 The definitions of data breach and security failure do not include Tony’s
alleged violations of the Act via its own collection, use, storage, or dissemination of employees’
biometric data. A data breach requires access to employee data that is unauthorized by Tony’s.
The underlying Act lawsuit does not allege that anyone obtained Tony’s employees’ biometric
data without Tony’s authorization. On the contrary, the underlying lawsuit alleges that Tony’s (and
Kronos, with Tony’s authorization) collected, stored, used, and disseminated employees’
biometric data. There is no allegation that Tony did not authorize these actions.
¶ 23 Furthermore, the underlying Act lawsuit does not allege that Tony’s or Kronos failed to
secure their computer systems. In fact, the amended complaint says nothing at all about the security
of Tony’s or Kronos’ computer systems.
¶ 24 Remprex, LLC v. Certain Underwriters at Lloyd’s London, 2023 IL App (1st) 211097,
guides our reasoning. That case involved a dispute over whether Remprex had insurance coverage
for an Act class action alleging that Remprex and another transportation company collected truck
drivers’ fingerprint biometric data and shared it with each other without the drivers’ permission.
4 Tony’s does not appear to contend that the allegations of the underlying Act lawsuit fall under the definition of “extortion threat.”
-9- No. 1-23-1712
Id. ¶¶ 3, 9. This court found that Lloyd’s had no duty to defend Remprex in the underlying Act
lawsuit. Id. ¶ 78. The court explained the “data breach” coverage provision of the insurance policy
at issue applied to “third-party breaches of [Remprex’s] computer systems that in turn expose[d]
the stored personal information to unauthorized persons.” Id. ¶¶ 76, 78. However, the underlying
Act complaint “contained no allegations that an unauthorized third party accessed individuals’
personal information and shared it with the public; instead, it merely alleged that the named parties
engaged in the unauthorized collection of their personal information without their consent, which
in turn is a violation of [the Act].” Id. ¶ 78. That scenario is essentially the same as this case. So,
like the court in Remprex, we find that Lloyd’s has no duty to defend Tony’s in the underlying Act
class action. See id.
¶ 25 Additionally, Lloyd’s has no duty to defend Tony’s because the policy specifically
excludes from coverage allegations like those of the underlying Act lawsuit. The pertinent
exclusion provides:
“This policy does not apply to and [Lloyd’s] will have no obligation to pay any loss,
a. collection of information by [Tony’s] (or others on [Tony’s] behalf)
without the knowledge or permission of the persons to whom such information
relates; however, this exclusion will not apply if no board member, trustee, director,
or officers (or equivalent position) of [Tony’s] knew or had reason to know of such
- 10 - No. 1-23-1712
b. use of personally identifiable information by [Tony’s] (or others on
This language precisely describes the allegations of the underlying Act lawsuit and excludes them
from coverage.
¶ 26 We acknowledge that neither the parties nor the circuit court addressed this exclusion.
Generally, a reviewing court should not search the record for unargued and unbriefed reasons to
reverse the circuit court’s judgment. People v. Givens, 237 Ill. 2d 311, 323 (2010). However, that
rule is relaxed when a reviewing court considers exclusionary language in an insurance policy
because we review the interpretation of an insurance policy de novo and must consider the policy
as a whole. Landmark American Insurance Co. v. NIP Group, Inc., 2011 IL App (1st) 101155,
¶¶ 76-77. Moreover, we do “not lack authority to address unbriefed issues and may do so in the
appropriate case, i.e., when a clear and obvious error exists in the trial court proceedings.” Givens,
237 Ill. 2d at 325. The parties’ failure to bring an exclusion provision that clearly applies to this
case to the circuit court’s attention presents a scenario in which a “clear and obvious error” compels
our independent consideration.
¶ 27 Tony’s argues that the allegations of the underlying Act lawsuit potentially fall within the
definition of “security failure” or “data breach” because, although Tony’s authorized Kronos to
access and store employees’ biometric data, Tony’s did not authorize Kronos to access or store
that data in a non-Act-compliant manner. Tony’s implies that Kronos committed a “security
failure” that resulted in the disclosure of Tony’s employees’ biometric data to unknown third
parties, i.e., a “data breach.” We disagree. The underlying Act complaint contains no allegations
- 11 - No. 1-23-1712
regarding the security of Tony’s or Kronos’s computer systems, and Figueroa does not allege that
Kronos did anything with biometric data that was not authorized by Tony’s.
¶ 28 Furthermore, the underlying complaint concedes that Figueroa and other “employees have
no idea whether [Tony’s] sells, discloses, re-discloses, or otherwise disseminates their biometric
data.” The complaint claims that “if a database containing fingerprints or other sensitive,
proprietary biometric data is hacked, breached, or otherwise exposed—like in the recent Google+,
Equifax, Uber, Facebook/Cambridge Analytica and Marriot data breaches or misuses—employees
have no means by which to prevent” misuse of their biometric data. (Emphasis added.) The
complaint also references a 2015 data breach at the United States Office of Personnel Management
and a 2018 breach of an Indian biometric database called Aadhaar. These incidents may be
examples of the type of data breaches that would qualify for coverage under the policy at issue,
but none of them involves Tony’s. Similarly, the complaint claims that Tony’s Act violations
“have raised a material risk that [Figueroa’s] and other similarly-situated individuals’ biometric
data will be unlawfully accessed by third parties.” (Emphasis added.) That statement presents a
hypothetical scenario; it is not an allegation that such a breach has occurred.
¶ 29 Altogether, the underlying Act lawsuit describes Tony’s and Kronos collecting, storing,
using, and possibly disseminating Tony’s employees’ biometric data in ways that violate the Act.
The insurance policy expressly excludes such allegations from coverage. The underlying Act
lawsuit does not allege any sort of third-party access to Tony’s employees’ data that Tony’s did
not authorize, either due to computer security failures or for any other reason. That type of scenario
is what the insurance policy covers. Accordingly, we find that the allegations of the underlying
- 12 - No. 1-23-1712
Act lawsuit do not even potentially qualify for coverage; therefore, Lloyd’s has no duty to defend
Tony’s.
¶ 30 Because we find that Lloyd’s has no duty to defend Tony’s in the underlying Act lawsuit,
we need not address the parties’ arguments regarding whether Tony’s timely reported the Act
lawsuit to Lloyd’s. The allegations of the underlying Act lawsuit do not qualify for coverage
regardless of whether Tony’s timely reported that lawsuit to Lloyd’s. Accordingly, we reverse the
circuit court’s grant of summary judgment in Tony’s favor and remand with directions for the
circuit court to enter summary judgment in favor of Lloyd’s on the issue of the duty to defend. See
Pekin Insurance Co. v. United Contractors Midwest, Inc., 2013 IL App (3d) 120803, ¶ 35.
¶ 31 III. CONCLUSION
¶ 32 For the foregoing reasons, we reverse the circuit court’s grant of summary judgment in
Tony’s favor and remand with directions for the circuit court to enter summary judgment in
Lloyd’s favor on the issue of the duty to defend.
¶ 33 Reversed; cause remanded with directions.
¶ 34 JUSTICE REYES, dissenting:
¶ 35 I disagree with the majority’s decision to reverse the grant of summary judgment in favor
of Tony’s and to direct the circuit court to enter summary judgment in favor of Lloyd’s.
¶ 36 The duty to defend is a fundamental obligation of an insurer. Employers Insurance of
Wausau v. Ehlco Liquidating Trust, 186 Ill. 2d 127, 151 (1999). “An insurer may not justifiably
refuse to defend an action against its insured unless it is clear from the face of the underlying
complaint that the allegations set forth in that complaint fail to state facts that bring the case within
or potentially within the insured’s policy coverage.” General Agents Insurance Co. of America,
- 13 - No. 1-23-1712
Inc. v. Midwest Sporting Goods Co., 215 Ill. 2d 146, 154 (2005). The allegations of the complaint
should be liberally construed in favor of the insured, and the duty to defend exists even if the
allegations are groundless, fraudulent, or false. Acuity v. M/I Homes of Chicago, LLC, 2023 IL
129087, ¶¶ 28-29.
¶ 37 In this case, I am unpersuaded by the majority’s finding that the allegations of the
underlying Biometric Information Privacy Act (740 ILCS 14/1 et seq. (West 2018)) complaint do
not even potentially fall within the policy coverage. Tony’s contracted with Kronos to manage the
employees’ biometric information. A plausible inference is that Tony’s expected Kronos to
manage the biometric information in a manner compliant with applicable law. To the extent that
the operative complaint alleges unlawful disclosures of such information, those allegations
potentially fall within the definition of a “data breach” or a “security failure,” as defined in the
policy. Furthermore, I consider the majority’s analysis of a policy exclusion that was not raised by
the parties to be unnecessary and possibly improper, irrespective of our de novo standard of review.
See Commonwealth Edison Co. v. Illinois Commerce Comm’n, 2016 IL 118129, ¶ 10 (noting that
reviewing courts generally do not render advisory opinions).
¶ 38 When the underlying complaint against the insured alleges facts within or potentially
within the scope of the policy coverage, the insurer taking the position that the complaint is not
covered by the policy must either defend its insured under a reservation of rights or seek a
declaratory judgment that no coverage exists. State Farm Fire & Casualty Co. v. Martin, 186 Ill.
2d 367, 371 (1999). Based on its failure to take either of these steps, I agree with the circuit court’s
conclusion that Lloyd’s is estopped from asserting a late-notice defense (or any other defense).
Therefore, I respectfully dissent.
- 14 - No. 1-23-1712
Tony’s Finer Foods Enterprises, Inc. v. Certain Underwriters at Lloyd’s, London, 2024 IL App (1st) 231712
Decision Under Review: Appeal from the Circuit Court of Cook County, No. 22-CH-9420; the Hon. Joel Chupack, Judge, presiding.
Attorneys Geoffrey J. Repo, of Gordon Rees Scully Mansukhani LLP, of for Chicago, for appellants. Appellant:
Attorneys Eamon P. Kelly and Clayton Faits, of Sperling & Slater LLC, of for Chicago, for appellee. Appellee:
- 15 -