Remprex, LLC v. Certain Underwriters at Lloyd's London, Syndicates 2623/623 , 2023 IL App (1st) 211097 ( 2023 )
Menu:
-
2023 IL App (1st) 211097SIXTH DIVISION March 31, 2023 Filing Date Nos. 1-21-1097 & 1-22-0308 (cons.) ______________________________________________________________________________ IN THE APPELLATE COURT OF ILLINOIS FIRST JUDICIAL DISTRICT ______________________________________________________________________________ REMPREX, LLC, ) ) Appeal from the Plaintiff-Appellant, ) Circuit Court of ) Cook County. v. ) ) No. 20 CH 5507 CERTAIN UNDERWRITERS AT LLOYD’S LONDON, ) SYNDICATES 2623/623, ) The Honorable ) Anna M. Loftus, Defendant-Appellee. ) Judge, Presiding. JUSTICE ODEN JOHNSON delivered the judgment of the court, with opinion. Presiding Justice Mikva & Justice C.A. Walker concurred in the judgment and opinion. OPINION ¶1 This appeal stems from a declaratory judgment action filed by plaintiff, Remprex, LLC, against defendants, Certain Underwriters at Lloyd’s London, Syndicates 2623/623 (Lloyd’s), in which plaintiff sought a declaration that Lloyd’s had a duty to defend it with regard to alleged violations of the Illinois Biometric Information Privacy Act (BIPA) (740 ILCS 14/1 et seq. (West 2018)). Remprex’s complaint also alleged breach of contract, bad-faith claims Nos. 1-21-1097 & 1-22-0308 (cons.) practices, vexatious and unreasonable conduct, violations of the Illinois Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/1 et seq. (West 2018)), and common law fraud. The circuit court granted Lloyd’s section 2-615 (735 ILCS 5/2-615 (West 2020)) motion to dismiss the complaint in its entirety, and Remprex appeals from that order. On appeal, Remprex contends that Lloyd’s had a duty to defend it in the two underlying lawsuits that alleged BIPA violations pursuant to two provisions of the policy which provided coverage for claims based on the dissemination of information to the public and for claims based on a loss for which Remprex was liable. For the reasons that follow, we affirm in part, reverse in part and remand for calculation of damages. 1 ¶2 I. BACKGROUND ¶3 Briefly stated, this case concerns a dispute over whether Remprex had insurance coverage for costs sustained by it with regard to two class action lawsuits involving alleged violations of BIPA. The facts are taken from the parties’ pleadings filed during the course of Remprex’s declaratory judgment action, which was initially filed on August 24, 2020. ¶4 A. BNSF Lawsuit ¶5 According to Remprex, it was implicated by BNSF Railway Company (BNSF) in a class action suit initiated by truck driver Richard Rogers (Rogers) against BNSF (BNSF lawsuit) in April 2019. the suit alleged that BNSF violated his privacy rights by collecting, capturing, storing, transferring, using, or otherwise obtaining his biometric information in a negligent or reckless manner. Remprex was never a named defendant in the BNSF suit, however, BNSF’s answer and affirmative defenses alleged that it contracted with Remprex to provide a number 1 Oral arguments were held in this appeal on January 12, 2023. -2- Nos. 1-21-1097 & 1-22-0308 (cons.) of services at BNSF facilities, including automated gate systems, since July 1, 2007. Additionally, BNSF indicated in an affirmative defense that any alleged use of fingerprints would have been provided to and at the request of Remprex. Remprex’s letter to Lloyd’s requesting coverage for this matter indicated that BNSF sought indemnification pursuant to the terms of a contract between Remprex and BNSF. ¶6 In March 2020, Remprex indicated that it attended an unsuccessful mediation session between the named parties to the BNSF lawsuit before JAMS (a provider of mediation, arbitration, and alternate dispute resolution services) at the request of both Rogers’ counsel and BNSF. Remprex believed that, based on communication between the parties before and after the mediation, it would be expected to contribute to any proposed settlement. ¶7 On August 5, 2020, Remprex received a broad subpoena for records, and in response it produced thousands of documents to the parties. Additionally, two of Remprex’s principals received deposition notices from Rogers’ counsel and were deposed. Remprex further contended that its continued participation was sought by the parties in the ongoing BNSF lawsuit, and it participated in a second unsuccessful mediation on April 7, 2021. We take judicial notice that the BNSF lawsuit went to trial and resulted in a jury award in favor of the class and against BNSF on October 12, 2022. Beyond the actions mentioned here, Remprex was never otherwise involved in the BNSF lawsuit. ¶8 B. CN Lawsuit ¶9 On July 26, 2019, Rogers filed a second class action lawsuit for alleged violations of BIPA against Remprex, Illinois Central Railroad Company (ICRC) and CN Transportation, Ltd., an affiliate of the Canadian National Railway Company (CN lawsuit). The suit raised similar allegations to those raised in the BNSF lawsuit. With respect to Remprex, Rogers alleged that -3- Nos. 1-21-1097 & 1-22-0308 (cons.) it engineered, designed, installed, operated, and managed biometric technology software and hardware. Additionally, Rogers alleged that CN used Remprex’s technology at its railyards and the two companies acted jointly in violating his privacy rights by collecting, capturing, storing, transferring, using, or otherwise obtaining his biometric information in a negligent or reckless manner. Further, Rogers alleged that Remprex used and shared his and other truck drivers’ fingerprint scans in an unauthorized manner as part of a biometric-based automated gate system at Illinois railyards for companies like CN, and improperly disseminated that information. ¶ 10 Remprex moved to dismiss Rogers’ complaint on August 30, 2019, and on November 14, 2019, Rogers voluntarily dismissed Remprex from the case. ¶ 11 C. Remprex’s Claims and Circuit Court Proceedings ¶ 12 Remprex maintained a “Beazley Breach Response” (BBR) policy, underwritten by Lloyd’s that covered a policy period of July 30, 2018, to July 30, 2019. Among other things, the policy provided coverage for data & network liability and media liability. The policy also contained a choice of law provision which provided that New York law governed disputes about its terms. ¶ 13 In June 2019, Remprex notified Lloyd’s of its claims under its policy, namely under the Data & Network Liability and Media Liability provisions, which Remprex contended were applicable to the BNSF and CN lawsuits. In its correspondence to Lloyd’s, Remprex explained that both suits concerned the unlawful creation, collection, dissemination, and unauthorized disclosure of private personal information in the form of fingerprint data, by or on behalf of Remprex, which triggered the coverage and Lloyd’s corresponding responsibility to cover all reasonable and necessary legal costs and expenses resulting from the investigation and defense of those suits. -4- Nos. 1-21-1097 & 1-22-0308 (cons.) ¶ 14 Lloyd’s responded in writing on November 19, 2019, denying coverage because it determined that neither the CN lawsuit nor the BNSF lawsuit implicated the policy’s coverage. Specifically, Lloyd’s stated that neither the Data & Network Liability nor the Media Liability provisions covered the circumstances in the two underlying lawsuits. Both parties engaged in correspondence back and forth for a few months, with Lloyd’s final correspondence about the matter occurring in April 2020. ¶ 15 Remprex filed suit against Lloyd’s on August 24, 2020. Lloyd’s responded by filing its appearance on November 20, 2020, and a section 2-615 (735 ILCS 5/2-615 (West 2020)) motion to dismiss on December 21, 2020. Remprex subsequently filed its six-count, first amended complaint on April 19, 2021. Count I sought a declaration that Lloyd’s had a duty to defend and indemnity it in the CN and BNSF lawsuits; count II alleged breach of contract; count III alleged bad faith; count IV alleged vexatious and unreasonable conduct; count V alleged a violation of the Illinois Consumer Fraud Act (815 ILCS 505/1 et seq. (West 2020)); and count VI alleged common law fraud. Remprex based the allegations of its complaint on the underlying CN and BNSF complaints, the BNSF answer and subpoena, and Lloyd’s written denials of its claims for coverage. ¶ 16 Lloyd’s responded with a second section 2-615 motion to dismiss. Lloyd’s first contended that it had no duty to defend Remprex for either the CN or BNSF complaints because a comparison of the underlying complaint and the insurance policy showed that there was no duty to defend under the Media Liability or Data & Network Liability coverages. ¶ 17 With respect to the CN lawsuit, Lloyd’s noted that the policy’s definition of Media Liability covered liability for creating, displaying, broadcasting, disseminating, or releasing Media Material to the public, and the CN complaint did not allege that Remprex did any of those -5- Nos. 1-21-1097 & 1-22-0308 (cons.) things. Rather, the CN complaint alleged that Remprex violated BIPA by “capturing and obtaining” and “collecting and storing” biometric information without appropriate consents, and there was no allegation that any information was released to the public or that Remprex took any action directed to the public. Lloyd’s disagreed with Remprex’s wide interpretation of “to the public,” namely that an allegation of dissemination to certain select entities would be sufficient to satisfy the policy language requiring dissemination to the public. Lloyd’s concluded that because there was no allegation in the CN complaint that Remprex disseminated any information to the public, it had no duty to defend the CN complaint under the Media Liability coverage of the policy. ¶ 18 Lloyd’s further contended that it had no duty to defend the CN lawsuit under the Data & Network Liability coverage of the policy because there was no allegation of a data breach or security breach in the CN complaint. Lloyd’s noted that the CN complaint was not a claim against Remprex for the theft or loss of information that in Remprex’s care, custody or control, or the disclosure of such information without Remprex’s authorization. Rather, the CN complaint alleged that Remprex collected information from Rogers without his consent; thus, it was not covered or potentially covered as a data breach. Nor did the CN complaint allege behaviors that would constitute a security breach as it was not a claim for the failure of computer security to prevent unauthorized access or use of computer systems, nor was there any allegation against Remprex that its computer security failed to prevent unauthorized access or use of its computer systems. Because the CN complaint did not mention Remprex’s computer security, Lloyd’s concluded that the CN complaint was not covered or potentially covered as a security breach. -6- Nos. 1-21-1097 & 1-22-0308 (cons.) ¶ 19 With respect to the BNSF suit, Lloyd’s initially noted that Remprex was not a party to the suit and that although Remprex sought coverage for the BNSF complaint, the BNSF answer, and for a third-party subpoena for documents received by Remprex from Rogers, those items were not covered by the policy. First, Lloyd’s contended that the BNSF complaint, answer and subpoena were not claims made against Remprex as Remprex was not named in the complaint and the complaint sought no money or services from Remprex. Similarly, Lloyd’s argued that the BNSF answer to the complaint and the subpoena were not claims against Remprex as they were not filed against Remprex and demanded no money or services from Remprex. Lloyd’s acknowledged that Remprex received a letter from BNSF requesting indemnity for the claims brought by Rogers pursuant to an indemnification provision in a contract between BNSF and Remprex; however, the first amended complaint did not make any claims in connection with BNSF’s request for contractual indemnification, and further, such claim would not be covered as the policy specifically excluded any loss arising from a contractual liability or obligation. Additionally, Lloyd’s noted that Remprex did not notify it of the subpoena when Remprex received it and never attempted to claim coverage for the subpoena, thus Lloyd’s had no duty to defend Remprex in connection with the subpoena. ¶ 20 Lloyd’s also contended that Remprex failed to state a claim in count III (bad faith) under 215 ILCS 5/154.6 (West 2020)), because the complaint pled no facts to support its “bare assertion” of improper claims handling, and because the statute relied upon was regulatory, Remprex had no cause of action as a policyholder. ¶ 21 With respect to count IV (vexatious and unreasonable conduct) under 215 ILCS 5/155 (West 2020)), Lloyd’s argued that Remprex failed to state a claim because: (1) disputes under the policy were governed by New York law so a claim could not be brought under an Illinois -7- Nos. 1-21-1097 & 1-22-0308 (cons.) statute; (2) a section 155 claim could not proceed when there was no duty to defend; (3) Remprex alleged no facts showing that Lloyd’s position was not reasonable and bona fide; and (4) the only fact alleged in support of the claim was that Lloyd’s issued its letter denying coverage in November 2019, several months after Remprex first provided notice of its claims in June 2019, which was insufficient to support its claim because the two entities were in communication throughout that time period. ¶ 22 With respect to Remprex’s claim under the Consumer Fraud Act (count V) (815 ILCS 505/1 et seq. (West 2020)), Lloyd’s argued that the CN and BNSF complaints were not covered under the policy, so coverage was appropriately denied. Additionally, the policy required that New York law be applied, so Remprex could not bring a claim under an Illinois statute. Lloyd’s also contended that Remprex’s claim was a restatement of its breach of contract claim which could not support a violation of the Consumer Fraud Act, and that Remprex failed to identify any specific misrepresentations or unfair acts or practices in its first amended complaint. ¶ 23 Finally, Lloyd’s contended that Remprex failed to state a claim in count VI (common law fraud) because the CN and BNSF complaints were not covered by the policy, so coverage was appropriately denied. Additionally, Lloyd’s noted that a party could not state a claim of fraud by alleging that a counterparty did not comply with the parties’ contract, which was the basis of Remprex’s claim, and further that Remprex failed to allege the elements of fraud. ¶ 24 Lloyd’s therefore concluded that Remprex’s first amended complaint should be dismissed with prejudice in its entirety. ¶ 25 Remprex filed a response in which it raised essentially the same allegations contained in its first amended complaint. The circuit court subsequently heard argument on the motion on August 5, 2021, via a Zoom teleconference. At the hearing, the court indicated that it had -8- Nos. 1-21-1097 & 1-22-0308 (cons.) reviewed the materials submitted by both sides, and allowed time for oral argument. After hearing argument, the circuit court found that there was no coverage for the CN lawsuit under the policy because there was no dissemination of any data to the public, just transmission between parties affiliated with one another. With respect to the BNSF lawsuit, the court noted that because Remprex was not named, it could not determine whether there was coverage. The circuit court dismissed the remaining counts of the first amended complaint. ¶ 26 The circuit court subsequently entered its written order on August 12, 2021, granting Lloyd’s motion to dismiss. The order indicated that “[f]or the reasons stated on the record,” counts 1 and 2 for declaratory judgment and breach of contract were dismissed with prejudice to the extent that they asserted causes of action arising from Lloyd’s refusal to defend Remprex in the CN lawsuit or to indemnify it for expenses or liability incurred in defense of the CN lawsuit. The order additionally dismissed counts 1 and 2 without prejudice with respect to the BNSF lawsuit so that Remprex could seek a declaratory judgment regarding coverage if it was subsequently named in the BNSF lawsuit. 2 Counts I through VI were dismissed with prejudice, and the order was entered as a final order which resolved all outstanding issues in the case. ¶ 27 Remprex filed its timely notice of appeal on September 2, 2021 (case number 21-1097). However, on February 2, 2022, Rempex filed a motion to remand to the circuit court for entry of a final order. On February 16, 2022, this court granted the motion to remand for the limited purpose of having the circuit court clarify whether its order of August 12, 2021, was intended as a final order disposing of the case. In response, the circuit court entered a subsequent order on Lloyd’s motion to dismiss on February 28, 2022, which dismissed counts I and II with 2 As previously noted, the BNSF lawsuit ended in a jury verdict on October 12, 2022, and Remprex was never named as a party to that suit. -9- Nos. 1-21-1097 & 1-22-0308 (cons.) prejudice as related to the BNSF lawsuit because Remprex was not named as a defendant in that lawsuit. All other relief remained the same. Remprex filed a second notice of appeal on March 3, 2022 (case number 22-0308), which was subsequently consolidated with the earlier appeal. ¶ 28 D. The Insurance Policy ¶ 29 As noted above, the BBR policy at issue was issued to Remprex by Lloyd’s as underwriters for the policy period of July 30, 2018, through July 30, 2019. The policy included a BBR Information Pack. Under the BBR Insuring Agreements Breach Responses section, the purpose of the policy was “[t]o provide Breach Response Services to the Insured Organization because of an actual or reasonably suspected Data Breach or Security Breach that the Insured first discovers during the Policy Period.” (Emphasis in original). ¶ 30 Applicable to this appeal, the Data & Network Liability section of the policy provided as follows: “Data & Network Liability To pay Damages and Claims Expenses, which the Insured is legally obligated to pay because of any Claim first made against any Insured during the Policy Period for: 1. a Data Breach; 2. a Security Breach; *** 4. failure by the Insured to comply with that part of a Privacy Policy that specifically: (a) prohibits or restricts the Insured Organization’s disclosure, sharing or selling of Personally Identifiable Information; - 10 - Nos. 1-21-1097 & 1-22-0308 (cons.) (b) requires the Insured Organization to provide an individual access to Personally Identifiable Information or to correct incomplete or inaccurate Personally Identifiable Information after a request is made; or (c) mandates procedures and requirements to prevent the loss of Personally Identifiable Information; provided the Insured Organization has in force, at the time of such failure, a Privacy Policy that addresses those subsections above that are relevant to such Claim.” (Emphasis in the original). ¶ 31 The Media Liability section of the policy provided as follows: “Media Liability To pay Damages and Claims Expenses, which the Insured is legally obligated to pay because of any Claim first made against any Insured during the Policy Period for Media Liability.” (Emphasis in the original). ¶ 32 The definitions section of the policy also contains several relevant definitions as follows: “Breach Notice Law means any statute or regulation that requires notice to persons whose personal information was accessed or reasonably may have been accessed by an unauthorized person. Breach Notice Law also includes any statute or regulation requiring notice of a Data Breach to be provided to governmental or regulatory authorities. Breach Response Services means the following fees and costs in response to an actual or reasonably suspected Data Breach or Security Breach: ***” “Claim means: 1. a written demand received by any Insured for money or services; - 11 - Nos. 1-21-1097 & 1-22-0308 (cons.) *** 3. with respect to coverage provided under part 1. of the Data & Network Liability insuring agreement only, a demand received by any Insured to fulfill the Insured Organization’s contractual obligation to provide notice of a Data Breach pursuant to a Breach Notice Law. Multiple Claims arising from the same or a series of related, repeated or continuing acts, errors, omissions or events will be considered a single Claim for the purposes of this Policy. Claims Expenses means: 1. all reasonable and necessary legal costs and expenses resulting from the investigation, defense and appeal of a Claim, if incurred by the Underwriters, or by the Insured with the prior written consent of the Underwriters; *** Claims Expenses will not include any salary, overhead, or other charges by the Insured for any time spent in cooperating in the defense and investigation of any Claim or circumstance that might lead to a Claim notified under this Policy, or costs to comply with any regulatory orders, settlements or judgments. Computer Systems means computers, any software residing on such computers and any associated devices or equipment: 1. operated by and either owned by or leased to the Insured Organization; or 2. with respect to coverage under the Breach Response and Liability insuring agreements, operated by a third party pursuant to a written contract with the Insured Organization and used for the purposes of providing hosted computer - 12 - Nos. 1-21-1097 & 1-22-0308 (cons.) application services to the Insured Organization or for processing, maintaining, hosting or storing the Insured Organization’s electronic data.” “Damages means a monetary judgment, award or settlement, including any award of prejudgment or post-judgment interest; but Damages will not include: *** 9. any amounts for which the Insured is not liable, or for which there is no legal recourse against the Insured. Data means any software or electronic data that exists in Computer Systems and that is subject to regular back-up procedures. Data Breach means the theft, loss, or Unauthorized Disclosure of Personally Identifiable Information or Third Party Information that is in the care, custody or control of the Insured Organization or a third party for whose theft, loss or Unauthorized Disclosure of Personally Identifiable Information or Third Party Information the Insured Organization is liable.” “Loss means Breach Response Services, Business Interruption Loss, Claims Expenses, Criminal Reward Funds, Cyber Extortion Loss, Damages, Data Recovery Costs, Dependent Business Loss, PCI Fines, Expenses and Costs, Penalties, loss covered under the eCrime insuring agreement and any other amounts covered under this Policy.” “Media Liability means one or more of the following acts committed by, or on behalf of, the Insured Organization in the course of creating, displaying, broadcasting, disseminating or releasing Media Material to the public: - 13 - Nos. 1-21-1097 & 1-22-0308 (cons.) 1. defamation, libel, slander, product disparagement, trade libel, infliction of emotional distress, outrage, outrageous conduct, or other tort related to disparagement or harm to the reputation or character of any person or organization; 2. a violation of the rights of privacy of an individual, including false light, intrusion upon seclusion and public disclosure of private facts; 3. invasion or interference with an individual’s right of publicity, including commercial appropriation of name, persona, voice or likeness; 4. plagiarism, piracy, or misappropriation of ideas under implied contract; 5. infringement of copyright; 6. infringement of domain name, trademark, trade name, trade dress, logo, title, metatag, or slogan, service mark or service name; 7. improper deep-linking or framing; 8. false arrest, detention or imprisonment; 9. invasion of or interference with any right to private occupancy, including trespass, wrongful entry or eviction; or 10. unfair competition, if alleged in conjunction with any of the acts listed in parts 5. or 6. above. Media Material means any information, including words, sounds, numbers, images or graphics, but will not include computer software or the actual goods, products or services described, illustrated or displayed in such Media Material.” “Personally Identifiable Information means: - 14 - Nos. 1-21-1097 & 1-22-0308 (cons.) 1. any information concerning an individual that is defined as personal information under any Breach Notice Law; and 2. an individual’s driver’s license or state identification number, social security number, unpublished telephone number, and credit, debit or other financial account numbers in combination with associated security codes, access codes, passwords or PINs; if such information allows an individual to be uniquely and reliably identified or contacted of allows access to the individual’s financial account or medical record information. but will not include information that is lawfully made available to the general public.” “Security Breach means a failure of computer security to prevent: 1. Unauthorized Access or Use of Computer Systems, including Unauthorized Access or Use resulting from the theft of a password from a Computer System or from any Insured; 2. a denial of service attack affecting Computer Systems; 3. with respect to coverage under the Liability insuring agreements, a denial of service attack affecting computer systems that are not owned, operated or controlled by an Insured; or 4. infection of Computer Systems by malicious code or transmission of malicious code from Computer Systems.” “Unauthorized Disclosure means the disclosure of (including disclosure resulting from phishing) or access to information in a manner that is not authorized by the Insured Organization and is without knowledge of, consent or acquiescence of any member of the Control Group.” (Emphasis in original). ¶ 33 The policy also excluded certain types of losses. With respect to the gathering or distribution of information, the policy excluded any loss arising out of “the unlawful collection - 15 - Nos. 1-21-1097 & 1-22-0308 (cons.) or retention of Personally Identifiable Information or other personal information by or on behalf of the Insured Organization;” but the exclusion did not apply to “Claims Expenses incurred in defending the Insured against allegations of unlawful collection of Personally Identifiable Information.” The policy also excluded from coverage, under the Media Liability insuring agreement, “any contractual liability or obligation,” but the exclusion did not apply to a claim for misappropriation of ideas under implied contract. ¶ 34 The policy further provided that, “[e]xcept with respect to coverage under the Payment Card Liabilities & Costs insuring agreement, the Underwriters ha[d] the right and duty to defend any covered Claim or Regulatory Proceeding.” ¶ 35 II. ANALYSIS ¶ 36 On appeal, Remprex contends that Lloyd’s had a duty to defend it in the two underlying lawsuits that alleged BIPA violations pursuant to two provisions of the policy. The provisions at issue provided coverage for claims based on the dissemination of information to the public and for claims based on a loss for which Remprex was liable. Specifically, Remprex argues that: (1) it stated valid claims for declaratory judgment and breach of contract because Lloyd’s had a duty to defend under the insurance policy; (2) the circuit court erred in dismissing its claims merely because Remprex was not named as a defendant in the BNSF lawsuit; and (3) the circuit court erred in dismissing Remprex’s remaining claims for breach of contract, violation of the Consumer Fraud Act and common law fraud. ¶ 37 A. Standard of Review ¶ 38 This is an appeal from the circuit court’s grant of a section 2-615 (735 ILCS 5/2-615 (West 2020)) motion to dismiss for failure to state a cause of action. Specifically, Lloyd’s motion to dismiss contended that the facts alleged by Remprex did not fall, or even potentially fall, within - 16 - Nos. 1-21-1097 & 1-22-0308 (cons.) the scope of coverage in the insurance policy it issued to Remprex. A motion to dismiss under section 2-615 of the Code challenges the legal sufficiency of the complaint by alleging defects on its face. Omega Demolition Corporation v. The Illinois State Toll Highway Authority,
2022 IL App (1st) 210158, ¶ 36. A court should grant a section 2-615 motion to dismiss only if it is apparent that the plaintiff cannot prove any set of facts that will entitle it to recover. Board of Trustees of Community College District No. 502, County of DuPage v. Department of Professional Regulation,
363 Ill. App. 3d 190, 196 (2006). The question is whether, even assuming that all well-pleaded facts in the complaint are true, the complaint states a legally recognized cause of action. Omega Demolition,
2022 IL App (1st) 210158, ¶ 36. In making this determination, a court will construe the complaint’s allegations in the light most favorable to plaintiff and draw reasonable inferences in the plaintiff’s favor.
Id.An appellate court reviews a circuit court’s order granting a section 2-615 motion de novo.
Id.Additionally, we may affirm on any basis appearing in the record, whether or not the trial court relied on that basis or its reasoning was correct.
Id.¶ 39 B. Choice of Law Provision in the Policy ¶ 40 As a preliminary matter, we note that the policy at issue contained a choice of law provision that designated New York law to apply to disputes. In the absence of a specific choice of law provision, the general choice of law rules of the forum state control. U.S. Gypsum Co. v. Admiral Insurance Co.,
268 Ill. App. 3d 598, 635 (1994). It is undisputed that the insurance policy at issue designated New York law to apply to any disputes. Nor is there any dispute between the parties about the applicability of the choice of law provision contained in the policy as it relates to Lloyd’s duty to defend. We will therefore apply the parties’ chosen law, New York, in interpreting this insurance policy. - 17 - Nos. 1-21-1097 & 1-22-0308 (cons.) ¶ 41 C. New York Contract Interpretation Principles ¶ 42 With respect to the policy, Remprex initially sought declarations that Lloyd’s had a duty to defend and indemnify, while Lloyd’s contended that it had no duty because coverage under the policy was not triggered. In an action for a judgment declaring the parties’ rights under an insurance policy, we must be guided by rules of contract interpretation because an insurance policy is a contract between the insurer and insured. Westchester Fire Insurance Co. v. Schorsch,
129 N.Y.S. 3d 67, 74 (2020). Contract interpretation or construction is usually a court function.
Id.Thus, in interpreting an insurance policy, the court must determine the rights and obligations of the parties, using the specific language of the policy itself. Sunrise Acupuncture, P.C. v. Kemper Independence Insurance Co.,
86 N.Y.S. 3d 710, 712 (2018). To ascertain the parties’ intent from the language of the insurance contract, the court must construe the policy as a whole; all pertinent provisions of the policy should be given meaning, with due regard to the subject matter that is being insured and the purpose of the entire contract. Westchester, 129 N.Y.S. 3d at 74. ¶ 43 When the language in an insurance policy is clear and unambiguous, the interpretation of said document and the determination of the rights and obligations of the parties is a question of law to be adjudicated by the court. Sunrise, d. 86 N.Y.S. 3d at 713. However, if the language in the policy is ambiguous, the court can use extrinsic evidence to determine the intent of the parties to the policy and resolution of the rights and obligations of the parties is a question of fact, to be determined by the trier of fact. Id. If the extrinsic evidence is conclusory, failing to equivocally resolve the ambiguity in a policy, interpretation of the policy remains a question of law for the court to decide; deciding any ambiguities against the insurer. Id. - 18 - Nos. 1-21-1097 & 1-22-0308 (cons.) ¶ 44 When interpreting an insurance policy, the language of the policy, when clear and unambiguous, must be given its plain and ordinary meaning. Id. The policy should be construed in such a way “that affords a fair meaning to all of the language employed by the parties in the contract and leaves no provision without force and effect.” Id. (quoting Raymond Corporation v. National Union Fire Insurance Co. of Pittsburgh, PA.,
5 N.Y. 3d 157, 162 (2005)). ¶ 45 We further note while Remprex sought declarations in the circuit court that Lloyd’s had both a duty to defend and indemnify under the policy provisions, Remprex has not made any argument on appeal or cited to any supporting authority with respect to its claims that Lloyd’s had a duty to indemnify and solely concentrates its arguments on Lloyd’s duty to defend under the policy. A point not argued or supported by citation to relevant authority fails to satisfy the requirements of Illinois Supreme Court Rule 341(h)(7) (eff. Oct. 1, 2020). See Lake County Grading Co., LLC v. Forever Construction Co., Inc.,
2017 IL App (2d) 160359, ¶ 83. Since the issue of whether Lloyd’s had a duty to indemnify Remprex has not been raised in this appeal, we therefore do not address that issue herein. See Rodgers v. St. Mary’s Hospital of Decatur,
149 Ill. 2d 302, 309 (1992). We now turn our attention then to the relevant law with respect to an insurer’s duty to defend. ¶ 46 An insurer’s duty to defend its insured arises whenever the allegations in a complaint state a cause of action that gives rise to the reasonable possibility of recovery under the policy. Town of Massena v. Healthcare Underwriters Mutual Insurance Co.,
98 N.Y. 2d 435, 443 (2002). If the allegations of the complaint are even potentially within the language of the insurance policy, there is a duty to defend.
Id.If any of the claims against an insured arguably arise from a covered event, the insurer is required to defend the whole action.
Id.The duty to defend arises whenever the allegations in a complaint against the insured fall within the scope of the risks - 19 - Nos. 1-21-1097 & 1-22-0308 (cons.) undertaken by the insurer and it is immaterial that the complaint against the insured asserts additional claims which fall outside of the policy’s general coverage or within its exclusory provisions.
Id. at 443-44. When an exclusion clause is relied upon to deny coverage, the burden rests on the insurance company to demonstrate that the allegations of the complaint can be interpreted only to exclude coverage.
Id. at 444. The merits of the complaint are irrelevant, and an insured’s right to be accorded legal representation is a contractual right and consideration upon which his premium is in part predicated, and this right exists even if debatable theories are alleged in the pleading against the insured.
Id.Nonetheless, an insurer can be relieved of its duty to defend if it establishes as a matter of law that there is no possible factual or legal basis on which it might eventually be obligated to indemnify its insured under any policy provision. Cumberland Farms, Inc. v. Tower Group, Inc.,
28 N.Y. 3d 1068, 1070 (2016). Thus, we must consider whether Remprex’s losses were caused by a covered event so as to bring the losses within the ambit of the policy. See Throgs Neck Bagels, Inc. v. G.A. Insurance Co. of New York,
671 N.Y.S. 2d 66, 69 (1998). ¶ 47 With these principles in mind, we now turn to the merits of Remprex’s appeal. ¶ 48 D. Lloyd’s Duty to Defend (Counts I and II) ¶ 49 Remprex first contends that it stated valid claims for declaratory judgment and breach of contract because Lloyd’s had a duty to defend it under the policy. Remprex argues that both the CN and BNSF lawsuits triggered the duty to defend against claims based on the dissemination of material to the public, and against claims based on a loss for which Remprex may be liable. Remprex concludes that when the broad presumptions in favor of coverage are properly applied and Remprex’s allegations are viewed in the most favorable light, “it is plain that Remprex has sufficiently set forth allegations arguably triggering Lloyd’s duty to defend” - 20 - Nos. 1-21-1097 & 1-22-0308 (cons.) which was the only requirement to survive Lloyd’s motion to dismiss. Remprex maintains that it sufficiently alleged that Lloyd’s had a duty to defend it under multiple provisions of the policy, and the circuit court’s order dismissing Remprex’s claims should be reversed. It bears mentioning that Remprex combined New York law and Illinois law in support of its contentions. However, as stated above, we will apply New York law pursuant to the choice of law provision in the insurance policy as we address Remprex’s specific contentions individually below. ¶ 50 1. Duty to Defend Against the BNSF Complaint, Answer and Subpoena ¶ 51 Remprex contends that Lloyd’s had a duty to defend it against the BNSF complaint, answer and subpoena under both the Media Liability and Data & Network Liability provisions. Remprex argues that the BNSF suit alleged that BNSF and its vendors, which included Remprex, collected and transferred the plaintiff class members’ biometric information; and BNSF in response to those allegations, claimed that Remprex was the party responsible for the alleged collection and transfer of that information. Remprex concludes that those allegations, namely that Remprex violated BIPA by collecting and transferring biometric data, constituted claims that Remprex disseminated media material to the public, including information concerning individual’s privacy rights. Similarly, Remprex argues that the BNSF suit alleged, in one way or another, that the plaintiffs lost their personally identifiable information (biometric data), and that Remprex was liable for that loss, which was covered under the policy. We disagree. ¶ 52 As noted above, when interpreting an insurance contract, the court must determine the rights and obligations of the parties, using the specific language of the policy itself. Sunrise, 86 N.Y.S. 3d at 712. When the language in an insurance policy is clear and unambiguous, the - 21 - Nos. 1-21-1097 & 1-22-0308 (cons.) interpretation of said document and the determination of the rights and obligations of the parties is a question of law to be adjudicated by the court. Id. at 713. Additionally, we must construe the policy as a whole; all pertinent provisions of the policy should be given meaning, with due regard to the subject matter that is being insured and the purpose of the entire contract. Westchester, 129 N.Y.S. 3d at 74. ¶ 53 In this case, under both the Media Liability and Data & Network Liability provision of the policy at issue, coverage was provided for “damages and claims expenses, which the insured was legally obligated to pay because of any claim first made against any insured during the policy period,” for media liability, a data breach, a security breach, or failure to comply with that part of a privacy policy that specifically prohibited or restricted the insured’s disclosure, sharing or selling of personally identifiable information, provided that the insured had such privacy policy in place. The policy specifically defined a claim as “a written demand received by any insured for money or services,” and further considered a claim under part one of the Data & Network Liability coverage (data breach) to include “a demand received by any insured to fulfill their contractual obligation to provide notice of a data breach pursuant to a breach notice law.” Relevant to the Data & Network Liability coverage, the policy defines a data breach as the theft, loss or unauthorized disclosure of personally identifiable information that is in the care, custody or control of the insured or a third party for whose theft, loss or unauthorized disclosure of the personally identifiable information the insured is liable. With respect to Media Liability, the policy lists a series of acts, one or more of which committed by the insured in the course of creating, displaying, broadcasting, disseminating or releasing media material to the public. Media material is defined as any information including words, sounds, numbers, images or graphics, but not the computer software or the actual goods, - 22 - Nos. 1-21-1097 & 1-22-0308 (cons.) products or services described, illustrated or displayed in such media material. However, we find that none of these circumstances were presented by the BNSF lawsuit that would have triggered Lloyd’s duty to defend Remprex. ¶ 54 First and foremost, Remprex was never named as a defendant in the BNSF complaint, thus no claim as defined by the policy was ever made against it by Rogers, which would arguably have formed the basis for any duty to defend under the provisions of the policy. As previously noted, the BNSF lawsuit has since reached a verdict after a jury trial in October 2022 without Remprex ever being named as a party. Under the plain language of the policy, there was never a claim made against Remprex- no written demand for money or services, that would have triggered the policy’s coverage under either the media liability or data & network liability provisions. Nor did the BNSF lawsuit fall within the other definition of a claim under the data & network liability insuring agreement as there was no demand that Remprex fulfill a contractual obligation to provide notice of a data breach pursuant to a breach notice law as required by the policy. ¶ 55 Moreover, although Remprex apparently voluntarily participated in certain information- gathering activities related to the BNSF lawsuit in March 2020, we find that such activities did not rise to the level of being a named party in the suit with a claim filed against it or the incurrence of claims expenses as defined by the policy. The policy specifically defined claims expenses as “all reasonable and necessary legal costs and expenses resulting from the investigation, defense and appeal of a Claim, if incurred by the Underwriters, or by the Insured with the prior written consent of the Underwriters.” (Emphasis added). Here, there was no evidence in the record that Remprex had written consent from Lloyd’s to participate in any information-gathering activities in the BNSF lawsuit, thus such expenses would not have - 23 - Nos. 1-21-1097 & 1-22-0308 (cons.) been covered as claims expenses. This is so, despite language in the policy exclusions section, which states that claims expenses incurred in defending the insured against allegations of unlawful collection of personally identifiable information because such activity was not pre- approved by Lloyd’s, which was a condition precedent under the definition of claims expenses. ¶ 56 Additionally, a review of the BNSF complaint reveals that there were general allegations made against BNSF and “authorized vendors,” however, such general language did not bring the BNSF complaint within the definition of a claim as defined by the policy because there was no written demand received by Remprex for money or services in the BNSF complaint. We therefore conclude that because Remprex was never named as a defendant nor ever included in the BNSF lawsuit beyond its voluntary participation in information-gathering activities related to it, there was no demand made of Remprex for money or services that would support a claim for coverage under the plain language of the policy. Thus, the policy precludes coverage and Lloyd’s had no duty to defend against the BNSF complaint. ¶ 57 The same result is reached when considering BNSF’s answer to the complaint, in which it identified Remprex as an authorized vendor related to matters raised in the complaint. BNSF’s answer was not a claim made against Remprex within the meaning of the policy because it did not demand money or services. Although BNSF sent a letter to Remprex after the BNSF lawsuit was filed requesting indemnification pursuant to their contractual agreement, the policy specifically excluded any contractual liability or obligation with respect to the media liability coverage. Apparently, Rempex had a contractual obligation to indemnify BNSF under the terms of their contract, which would therefore fall outside of the policy’s coverage. Thus, BNSF’s answer to the complaint in the lawsuit that did not name Remprex as a defendant was - 24 - Nos. 1-21-1097 & 1-22-0308 (cons.) not a claim within the plain language of the policy and Lloyd’s had no duty to defend against the BNSF answer. ¶ 58 With respect to the third-party subpoena received by Remprex from plaintiff Rogers’ counsel in August 2020, the record reveals that Remprex did not submit a claim to Lloyd’s regarding the subpoena. Remprex had previously submitted its initial request for coverage to Lloyd’s in June 2019, Lloyd’s denied coverage in November 2019, and Remprex filed this suit in August 2020. The subpoena, received by Remprex after the denial of coverage by Lloyd’s was never submitted to Lloyd’s for coverage, and Lloyd’s only learned of the subpoena during the pendency of the litigation at issue. The policy required the insured to notify the insurer of any claim or potential claim as soon as practicable, but not later than 90 days after the end of the policy period. The policy at issue expired on July 30, 2019, thus it was no longer in place when Remprex received the subpoena more than a year later. Because the subpoena was received outside of the notice provision under policy, there was no coverage available. ¶ 59 Although Remprex considers the subpoena to be part of its original request for coverage filed in June 2019, Lloyd’s duty to defend was never triggered because Remprex was not a named party to the BNSF lawsuit and there was no claim filed against it.. Thus, the subpoena was also not covered as it did not fall within the policy’s effective dates or within 90 days after its expiration. ¶ 60 We therefore conclude that, despite Remprex’s efforts to persuade us to the contrary, the policy did not cover any aspect of the BNSF lawsuit as Remprex was not a party to it and there was no claim for damages or demand for services made against Remprex in the BNSF lawsuit. We decline to discuss any other aspects of the policy specifics in reference to the BNSF lawsuit as we believe our conclusion fully disposes of the issue. Accordingly, we find that Lloyd’s - 25 - Nos. 1-21-1097 & 1-22-0308 (cons.) section 2-615 motion was properly granted with respect to the BNSF lawsuit because, even assuming that all well-pleaded facts in the declaratory judgment complaint are true, Remprex’s complaint fails to state a cause of action against Lloyd’s for coverage as there was no duty to defend in the BNSF lawsuit. Omega Demolition Corporation,
2022 IL App (1st) 210158, ¶ 36. The circuit court thus properly dismissed counts I and II as they pertain to the BNSF lawsuit. ¶ 61 2. Duty to Defend Against the CN Complaint ¶ 62 Remprex also contends that Lloyd’s had a duty to defend it against the CN complaint under both the media liability and data & network liability coverage in the policy. It is uncontroverted that Remprex was a named defendant in the CN complaint and that a monetary demand was made in the prayer for relief, thereby satisfying the policy definition of a claim. Our question then becomes whether Remprex’s claim was caused by a covered event so as to bring its losses within the ambit of the policy. Throgs Neck Bagels, 671 N.Y.S. 2d at 69. We note again that while Remprex was initially named in the CN complaint, Remprex filed a successful motion to dismiss, and the plaintiff voluntarily dismissed Remprex from the suit in November 2019, approximately four months after filing the complaint. ¶ 63 a. Coverage Under the Media Liability Provision ¶ 64 With respect to the media liability coverage, as it has maintained in all of its pleadings related to this case, Remprex argues that the CN lawsuit involved allegations that Remprex disseminated media material to the public, including information violating individuals’ privacy rights under BIPA, which was collected and transferred to third parties. Remprex insists that Lloyd’s interpretation of the policy language “to the public” as meaning the community at large is too narrow and limits the scope of the provision is ways that were not intended by the - 26 - Nos. 1-21-1097 & 1-22-0308 (cons.) policy. Remprex contends that the word “public” as used in the policy is ambiguous and that the public could include a limited group. ¶ 65 In order to determine whether the Media Liability provision of the policy applied and thus triggered Lloyd’s duty to defend, we must first examine the type of information that was alleged to be captured or collected, and whether that type of information was covered by the policy. ¶ 66 The CN complaint alleged that the named defendants collected and transferred the individual’s fingerprints in violation of Illinois’ BIPA law. BIPA requires that an individual be informed and provide a release before any biometric information is captured or collected. See Watson v. Legacy Healthcare Financial Services, LLC,
2021 IL App (1st) 210279, ¶ 53. Under BIPA, “biometric information” is defined as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” 740 ILCS 14/10 (West 2018); Mosby v. Ingalls Memorial Hospital,
2022 IL App (1st) 200822, ¶ 47. BIPA further defines “biometric identifiers” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”
Id.In the underlying CN complaint, it was alleged that the plaintiffs’ fingerprint information was collected and stored without permission. There is no dispute that any collection and transfer of an individual’s fingerprints without informing them and procuring a release would be a violation of BIPA. ¶ 67 However, the crux of our issue is whether an alleged violation of BIPA, as outlined in the CN complaint, triggered the media liability coverage under the policy. ¶ 68 As noted above, the policy specifically defines media liability as one or more of enumerated acts committed by or on behalf of the insured in the course of creating, displaying, broadcasting, disseminating or releasing media material to the public. As detailed above, the - 27 - Nos. 1-21-1097 & 1-22-0308 (cons.) policy then goes on to outline specific acts that fall within the scope of coverage. The policy also defines media material as any information, including words, sounds, numbers, images or graphics. The parties do not appear to dispute whether fingerprints are considered media material as defined in the policy. ¶ 69 Remprex focuses its argument on the dissemination to the public requirement for coverage, maintaining that the policy did not define “public,” and it is thus an ambiguous term. Remprex argues that Lloyd’s uses a narrow definition of public and maintains that “public” can apply to information shared between itself and one other entity. To the contrary, we find that under the circumstances presented here, dissemination to the counterparty of the agreement to collect such information was not reasonably anticipated under the policy to constitute “public.” ¶ 70 The construction and interpretation of an unambiguous written contract is an issue of law within the province of the court, as is the inquiry of whether the writing is ambiguous. Palombo Group v. Poughkeepsie City School District,
3 N.Y.S. 3d 390, 392 (2015). If the language is free from ambiguity, its meaning may be determined as a matter of law on the basis of the writing alone without resort to extrinsic evidence.
Id.The contract language in an insurance policy is to be read in light of common speech and interpreted according to the reasonable expectations and purposes of ordinary businesspeople when making ordinary business contracts. Heartland Brewery, Inc. v. Nova Casualty Co.,
52 N.Y.S. 3d 55, 57 (2017). Before the rules governing the construction of ambiguous contracts are triggered, the court must first find an ambiguity. Elletson v. Bonded Insulation Co. Inc.,
708 N.Y.S. 2d 511, 513 (2000). An ambiguity does not exist simply because the parties urge different interpretations or where one party’s view strains the contract language beyond its reasonable and ordinary meaning.
Id.- 28 - Nos. 1-21-1097 & 1-22-0308 (cons.) ¶ 71 In this case, we find that the term “to the public” is not ambiguous, despite Remprex’s arguments to the contrary. Merriam-Webster Dictionary defines public as “exposed to general view.” https://www.merriam-webster.com/dictionary/public (accessed February 8, 2023). In reading the policy’s use of the term “to the public” within the media liability definition, in context with the types of acts that would constitute media liability, it is clear that the policy intends for coverage to attach to actions that were intended for general view. For example, the policy defines media liability as one or more of the following acts in the course of creating, displaying, broadcasting, disseminating or releasing media material to the public: defamation, libel, slander or other tort related to the disparagement or harm to the reputation or character of any person or organization; plagiarism; copyright infringement; and invasion of or interference with any right to private occupancy, to name a few. These types of acts clearly anticipate that such media material has to be exposed to general view such that they would harm an individual or organization in order for coverage to apply. No such acts were included in the CN complaint’s allegations against Remprex- there was no allegation that Remprex disseminated or released the plaintiff’s biometric data to general view, only that it was shared between Remprex and the various railroad entities named within the suit. We therefore conclude that the use of “public” in the policy is not ambiguous and should be given its plain and ordinary meaning. Applying the plain and ordinary meaning to the language of the policy, it is clear that the allegations of the CN complaint did not allege that Remprex disseminated any media material to the public. ¶ 72 Aside from disseminating media material to the public, however, the policy also defines media liability as violating an individual’s right to privacy during the “course of creating media material.” As noted above, the parties do not appear to dispute whether fingerprints are - 29 - Nos. 1-21-1097 & 1-22-0308 (cons.) considered media material. Nor is there any dispute that the CN lawsuit alleged that Remprex created such media material, which would thus fall or potentially fall within coverage under the policy. However, that does not end our inquiry. ¶ 73 It bears noting that the policy also contains language excluding losses arising from the unlawful collection or retention of personally identifiable information or other personal information by or on behalf of the insured organization. Nevertheless, the exclusion contains an exception, indicating that the exclusion is not applicable to claims expenses incurred in defending the insured against allegations of the unlawful collection of personally identifiable information. That is precisely what the CN complaint accused Remprex of doing: unlawfully collecting the plaintiffs’ fingerprints. As such, we find that there was coverage under the policy for the claims expenses related to defending against the CN lawsuit. As noted, the CN complaint was filed on July 26, 2019, and Remprex was not dismissed from the lawsuit until November 24, 2019. Under the terms of the policy, Remprex was entitled to coverage for its claims expenses incurred in defending against the CN lawsuit. ¶ 74 Accordingly, we find that the trial court erred in denying coverage for the claims expenses that Remprex incurred in defending against the CN lawsuit based on its allegations that it unlawfully collected the CN plaintiffs' fingerprints. We therefore remand to the circuit court for a determination of those claims expenses due to Remprex. ¶ 75 b. Coverage Under the Data & Network Liability Provision ¶ 76 Remprex makes a similar argument with respect to its claim for coverage under the data & network liability provisions of the policy. Remprex asserts that the policy requires Lloyd’s to defend Remprex for a “data breach,” defined as any theft, loss or unauthorized disclosure of personally identifiable information *** that is in the care, custody or control of [Remprex] or - 30 - Nos. 1-21-1097 & 1-22-0308 (cons.) a third party for whose theft, loss, or unauthorized disclosure of personally identifiable information [Remprex] is liable.” Remprex argues that “in some way or another,” the CN suit alleges that plaintiffs lost their personally identifiable information and that Remprex is liable for that loss, which makes the claim covered under the policy. Remprex contends that there is no question that the biometric data constitutes personally identifiable information under the policy, and further that the suit alleges a “loss” for which it is liable. Remprex makes a convoluted argument that the word “loss” with a lowercase “l” is different than the policy’s defined term “Loss” with a capital “L,” thus making the term ambiguous and seeks to employ extrinsic evidence to define the term. ¶ 77 As noted above, the data & network liability section of the policy provided, in pertinent part, that it would pay damages and claims expenses, which the insured was legally obligated to pay because of any claim made against the insured during the policy period for a data breach; a security breach; the insured’s failure to timely disclose a data or security breach; failure by the insured to comply with that part of a privacy policy that specifically prohibited or restricted the insured’s disclosure; and, the sharing or selling of personally identifiable information (provided that the insured had such privacy policy in place). The policy defined data breach as any software or electronic data that exists in computer systems and was subject to regular back- up procedures. A data breach was defined as the theft, loss, or unauthorized disclosure of personally identifiable information or third party information that was in the care, custody or control of the insured or a third party for whose theft, loss or unauthorized disclosure the insured was liable. The policy also defined what constituted a loss. Personally Identifiable Information was defined as any information concerning an individual that was defined as personal information under any breach notice law; and an individual’s driver’s license or state - 31 - Nos. 1-21-1097 & 1-22-0308 (cons.) identification number, social security number, unpublished telephone number, and credit, debit or other financial account numbers in combination with associated security codes, access codes, passwords or PINs, provided such information allows an individual to be uniquely and reliably identified or contacted or allows access to the individual’s financial account or medical record information. It did not, however, include information that is lawfully made available to the general public. Finally, a security breach was defined as a failure of computer security to prevent unauthorized access or use of a computer system, including that which occurred from the theft of a password from a computer system or any insured; a denial of service attack affecting computer systems; with respect to coverage under the Liability insuring agreements, a denial of service attack affecting computer systems that are not owned, operated or controlled by an insured; or the infection of computer systems by malicious code or transmission of malicious code from computer systems. ¶ 78 A plain reading of the terms of the data & network liability coverage section of the policy as well as the relevant definition sections establish that the alleged violation of BIPA in the CN complaint do not fall, or potentially fall within this section of the policy. While it is true that fingerprint biometric data is personally identifiable information, the collection and storage of it without the individual’s permission does not appear to fall under this section of the policy. Contrary to Remprex’s argument, the CN complaint does not allege that such biometric data was stolen or shared with the public; rather, the complaint alleged that the named defendants played a part in collecting and sharing such data with one another without permission in violation of BIPA. The relevant policy section appears to apply primarily to third-party breaches of the insured’s computer systems which in turn exposes the stored personal information to unauthorized persons. Remprex’s attempts to bring the allegations of the CN - 32 - Nos. 1-21-1097 & 1-22-0308 (cons.) complaint under the data & network coverage of the policy, while certainly creative, are without merit. The CN complaint contained no allegations that an unauthorized third party accessed individuals’ personal information and shared it with the public, instead it merely alleged that the named parties engaged in the unauthorized collection of their personal information without their consent, which in turn is a violation of BIPA. We therefore conclude that Lloyd’s had no duty to defend pursuant to the data & network provision of the policy. ¶ 79 We do not reach a discussion of whether there is a difference between loss with a lowercase “l” or uppercase “L” as we believe the plain language of the policy is dispositive of the issue. ¶ 80 D. Breach of Contract (Count II) ¶ 81 Remprex also contends that Lloyd’s breached the contract of insurance by refusing to provide coverage for the CN and BNSF lawsuits. However, to the contrary, our conclusion that there was no coverage for the BNSF lawsuit means that Lloyd’s had no duty to defend it and thus there was no breach of contract by its failure to do so. Consequently, the section 2-615 motion to dismiss was properly granted as to count II regarding the BNSF lawsuit. ¶ 82 With respect to the CN lawsuit, because we have found limited coverage for the claims expenses incurred by Remprex in defending against the CN lawsuit, we also find that Remprex has sustained its breach of contract claim for the CN lawsuit. However, in the context of insurance liability litigation, Remprex’s damages related to a breach of the duty to defend are limited to the cost to the insured of defending itself. East Ramapo Central School District v. New York School Insurance Reciprocal,
158 N.Y.S. 3d 173, 179 (2021). ¶ 83 E. Bad Faith (Count III) and Vexatious and Unreasonable Conduct (Count IV) ¶ 84 Remprex further alleged in count III of its first amended complaint that Lloyd’s denied its claims “without conducting a reasonable investigation based on all available information as - 33 - Nos. 1-21-1097 & 1-22-0308 (cons.) required under Illinois law.” Specifically, Remprex takes issue with the time it took Lloyd’s to “analyze and prepare its denial letter to Remprex’s request for coverage of the CN [and BNSF] lawsuit[s].” Additionally, in Count IV, Remprex alleged that Lloyd’s conduct in denying coverage was vexatious and unreasonable under Illinois law, which entitled it to attorney’s fees under section 155 of the Insurance Code (215 ILCS 5/155 (West 2020)). We disagree. ¶ 85 Remprex’s claims of bad faith and vexatious and unreasonable conduct go hand in hand. Section 155 provides an extracontractual remedy intended to make suits by policyholders economically feasible and punish insurance companies for misconduct. McGee v. State Farm Fire & Casualty Co.,
315 Ill. App. 3d 673, 681 (2000). Thus, the key question in a section 155 claim is whether an insurer’s conduct is vexatious and unreasonable.
Id.To state a claim under section 155, the insured must plead some factual support and cannot merely allege that the insurer’s conduct was vexatious and unreasonable.
Id.Whether a delay is vexatious and unreasonable is a question of fact that must be assessed based on the totality of the circumstances, taken in broad focus. Nine Group II, LLC v. Liberty International Underwriters, Inc.,
2020 IL App (1st) 190320, ¶ 41. No single factor is controlling.
Id.In examining the circumstances, courts have considered the insurer’s attitude, whether the insured was forced to file suit to recover, and whether the insured was denied the use of its property.
Id.Additional considerations include whether there is a bona fide dispute concerning coverage, the extent of the insurance company’s evaluation and investigation of the claim, and the adequacy of the communications between the insurance company and the insured.
Id.Section 155 costs and sanctions are inappropriate when a bona fide dispute regarding coverage exists. Id. ¶ 44. Bona fide is defined as real, actual, genuine, and not feigned. Id. Where an insurer reasonably relies upon evidence sufficient to form a bona fide dispute, the insurer has not acted unreasonably - 34 - Nos. 1-21-1097 & 1-22-0308 (cons.) and vexatiously under section 155. Id. Nor is an insurer liable for a violation of section 155 when it takes a reasonable but erroneous position on its coverage obligations where its position is at least arguable. Evergreen Real Estate Services, LLC v. Hanover Insurance Co.,
2019 IL App (1st) 181867, ¶ 38. The granting of attorney fees and penalties pursuant to section 155 is usually entrusted to the sound discretion of the trial court but when section 155 fees and costs are awarded as a judgment on the pleadings, the standard of review is de novo. Statewide Insurance Co. v. Houston General Insurance Co.,
397 Ill. App. 3d 410, 425 (2009). ¶ 86 We find that Remprex has not sufficiently alleged that Lloyd’s actions were vexatious and unreasonable. The conduct in question that was alleged by Remprex to constitute bad faith and vexatious behavior, namely the delay in processing the claims could reasonably demonstrate just the opposite- the amount of time 3 that Lloyd’s took to analyze the claim and determine whether there was policy coverage could support the inference that instead of immediately denying the claim, Lloyd’s fully researched it to ensure that coverage would not be unfairly withheld. Additionally, Lloyd’s denial of coverage was based on a bona fide dispute as to coverage; indeed, it is that dispute that got us here. Such bona fide dispute cannot support Remprex’s claims of bad faith and vexatious and unreasonable behavior that would entitle it to section 155 attorney fees. Accordingly, Remprex’s claims of bad faith and vexatious and unreasonable conduct were properly dismissed. ¶ 87 F. Violations of the Illinois Consumer Fraud Act (Count V) 3 Remprex filed its initial claim for the BNSF case in June 2019 which Lloyd’s denied in November 2019, only five months later. Discussions continued until April 2020 and Remprex filed the within case in August 2020. - 35 - Nos. 1-21-1097 & 1-22-0308 (cons.) ¶ 88 Remprex further alleged in count V that Lloyd’s conduct was a violation of the Consumer Fraud Act (815 ILCS 505/2 (West 2020)) by engaging in unfair and deceptive acts and practices and arbitrarily denying claims without basis. We find that these counts were properly dismissed by the circuit court. ¶ 89 The Consumer Fraud Act is a regulatory and remedial statute that is intended to protect consumers, borrowers, and businesspersons against fraud, unfair methods of competition, and other unfair and deceptive business practices. Robinson v. Toyota Motor Credit Corp.,
201 Ill. 2d 403, 416-17 (2002). It makes it unlawful to engage in any unfair or deceptive acts or practices, including but not limited to the use of any deception, fraud, false pretense, false promise, misrepresentation or the concealment, suppression or omission of any material fact, with intent that others rely on it in the conduct of any trade or commerce. 815 ILCS 505/2 (West 2020). To establish a violation under the Act, a plaintiff must establish: (1) a deceptive act or practice by the defendant; (2) the defendant's intent that the plaintiff rely on the deception; (3) the occurrence of the deception during a course of conduct involving trade or commerce; and (4) the consumer fraud proximately caused the plaintiff's injury. White v. Daimler Chrysler Corp.,
368 Ill. App. 3d 278, 283 (2006). To establish a claim under the Consumer Fraud Act, a plaintiff must show that (1) defendant committed a deceptive act or practice; (2) defendant intended for plaintiff to rely on the deception; (3) the deception occurred in the course of conduct involving trade or commerce; (4) plaintiff suffered actual damages; and (5) plaintiff's damages were proximately caused by defendant's deceptive conduct. DOD Technologies v. Mesirow Insurance Services, Inc.,
381 Ill. App. 3d 1042, 1050-51 (2008). A complaint alleging a consumer fraud violation must be pled with the same particularity as that required under common law fraud.
Id.- 36 - Nos. 1-21-1097 & 1-22-0308 (cons.) ¶ 90 Here, Remprex’s first amended complaint alleged that Lloyd’s engaged in unfair and deceptive acts and practices by creating through its advertising the expectation among prospective insureds that media liability claims would be covered; selling policies purporting to cover media liability; and then arbitrarily and without basis denying coverage for such claims. The record does not support Remprex’s allegations- Lloyd’s policy did provide coverage for media liability as defined within the policy purchased by Remprex and Remprex’s claims were not arbitrarily denied without a basis. We have determined that the policy provided no coverage for Remprex’s claim for the BNSF lawsuit, and further that the policy provided limited coverage for Remprex’s claim for the CN lawsuit. We have also determined that there was no bad faith or vexatious and unreasonable conduct in Lloyd’s handling of the claims as there was a bona fide dispute as to coverage. We find that Remprex has not sustained its burden in raising a claim under the Consumer Fraud Act. Thus, its claim was properly dismissed. ¶ 91 G. Common Law Fraud (Count VI) ¶ 92 In count VI of the first amended complaint, Remprex alleged that Lloyd’s “engaged in fraudulent acts and practices by creating through its advertising the expectation among prospective insureds that Media Liability claims would be cover[ed]; selling policies purporting to cover Media Liability claims; and then arbitrarily and without basis denying coverage for such claims.” Remprex further alleged that Lloyd’s engaged in these practices with the intent to deceive insureds, and that Remprex relied on those practices to its detriment. ¶ 93 We conclude that Remprex’s claim of common law fraud fails because it did not satisfy the elements of common law fraud. The elements of common-law fraud are a material misrepresentation of an existing fact, made with knowledge of the falsity, an intent to induce reliance thereon, justifiable reliance upon the misrepresentation, and damages. Kastin v. - 37 - Nos. 1-21-1097 & 1-22-0308 (cons.) GEIGO General Insurance Co.,
140 N.Y.S. 3d 521, 523 (2021). Where a cause of action is based on a misrepresentation or fraud, the circumstances constituting the wrong shall be stated in detail.
Id.¶ 94 To start, Remprex fails to satisfy the requirement that there must be a false statement of material fact. Here, the fact that Lloyd’s provided coverage for media liability in its policy was not a false statement; there was no issue raised as to whether Lloyd’s provided that type of coverage. The only issue raised here was whether the claims made by Remprex fell or potentially fell within the scope of that coverage, which Lloyd’s concluded that it did not and denied coverage under the policy. Remprex does not allege any additional facts to support this element, and such failure is fatal to its claim. We therefore affirm the dismissal of count VI. 4 ¶ 95 CONCLUSION ¶ 96 In conclusion, we affirm the portion of the circuit court’s 2-615 dismissal as to all claims related to the BNSF lawsuit and counts III through VI. We reverse the circuit court’s finding that there was no coverage under the CN lawsuit, finding that there was coverage for Remprex’s claims expenses incurred in defending the CN lawsuit. We therefore remand for a calculation of Remprex’s claims expenses due under the policy’s coverage. ¶ 97 Affirmed in part; reversed in part; remanded with directions. 4 As stated above, since the issue of whether Lloyd’s had a duty to indemnify Remprex has not been raised in this appeal, we do not address that issue here. See Rodgers v. St. Mary’s Hospital of Decatur,
149 Ill. 2d 302, 309 (1992). - 38 -
Document Info
Docket Number: 1-21-1097
Citation Numbers: 2023 IL App (1st) 211097
Filed Date: 3/31/2023
Precedential Status: Precedential
Modified Date: 3/31/2023