Many companies and other organizations are turning to biometric data for security. Biometrics are biological measurements and include fingerprints, retinal scans, handprints, and face scans. These can allow access to computers, computer programs, and access into secured locations. The use of biometric data has increased since 2020 as a way to reduce physical interactions. The rise of two step authentication for security purposes will likely create additional use of biometric data.
However, the use of biometrics does present some risks as the biometric data must be collected and stored. Unintentional release, use, or access to this information has and can lead to litigation, often in the form of class actions. Hackers have become more sophisticated, and one group was even able to replicate the iris patter of German Chancellor Angela Merkel. While passwords can be changed following a breach, fingerprints, handprints, retinas, and facial patterns cannot. The theft of this information could clearly cause significant losses and liabilities. In addition, although the use, collection, and storage of biometric data is not federally regulated, states are beginning to enact biometric data privacy laws. Illinois and Texas have passed statutes that focus on biometric data privacy. Connecticut, Iowa, Nebraska, North Carolina, Oregon, Wisconsin and Wyoming have passed regulation of the collection of biometric data through data breach security laws including biometric data in the definition of “personal information.” Data breaches that include biometric information often implicate these state laws. The Illinois law has included a private cause of action as well.
The discussion will follow hypothetical claims involving Super Gym, insured by ABC Insurance Company, and will discuss the life of the claims and issues that may arise along way. We will also discuss the biometric privacy laws enacted in a handful of states. A summary of case law is also below.
Insurance policies as currently drafted likely do not address the potential claims that could arise. This creates many issues and potential disputes between insureds and insurers. This panel will explore coverage and potential coverage problems with claims associated with biometric data. We will have sample policies at the discussion to facilitate participation in following the claim and discussing issues.
SUPER GYM BIOMETRIC DATA BREACH CLAIM
Super Gym collects handprints from employees for timekeeping and authentication purposes (for access to other company software and access to areas within the gym). Super Gym also collects facial scans and handprints from its members. This allows members to check in by standing in front of a camera. The handprints allow member access to areas of the gym depending on the type of membership they purchased. Super Gym did not disclose to its employees or members any other uses of this biometric information.
Sometime later, it was learned a third party had obtained access to the biometric information Super Gym maintained. There is a dispute as to whether it was stolen or if Super Gym sold it to a third party. Now Super Gym is defending two class actions against it – one from its employees and one from its members.
Super Gym has tendered the claim to its insurer, ABC Insurance Company through its Broker. ABC issued complete business coverage to Super Gym, including Workers’ Compensation with Employers’ Liability Coverage, General Liability Coverage, Property Coverage, Cyber Coverage, and Commercial Auto Coverage.
West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (Ill., 2021)
A customer of Krishna Schaumburg Tan (“Krishna”) brought a class action lawsuit against the company for violation of the Biometric Information Privacy Act (“BIPA”) when it collected customers’ fingerprints and disclosed their biometric information to a third party. Krishna tendered its defense to its insurer, West Bent Mutual Insurance Company (“West Bend”). West Bend subsequently filed this declaratory judgment lawsuit asserting that it did not owe Krishna a defense obligation.
West Bend issued two businessowners’ liability policies to Krishna which provide coverage for “’bodily injury’, ‘property damage’, ‘personal injury’ or ‘advertising injury.’” West Bend argued that the underlying lawsuit did not come within the policies’ coverage for “personal injury” or “advertising injury” because the underlying complaint did not allege a “publication” of material that violated a person’s right of privacy. West Bend also argued in the alternative that the “Distribution of Material in Violation of Statutes” exclusion applied. The Supreme Court of Illinois found that the underlying complaint fell within West Bend’s policies’ coverage because it contained allegations that Krishna shared biometric identifiers with a third party that potentially violated the customer’s right to privacy. With respect to the policy exclusion, the policy language states that the policies do not apply to “1) the TCPA, (2) the CAN-SPAM Act, and (3) statutes “other than” the TCPA or CAN-SPAM Act that prohibit or limit the communication of information.” The court found that the “other than” language in the exclusion means “other statutes of the same general kind that regulate methods of communication like the TCPA and the CAN-SPAM Act,” and because BIPA is not a statute of the same kind as the TCPA and the CAN-SPAM Act, the violations of statutes exclusion did not apply.
Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, Case No. 20-CV-05980, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022)
Citizens Insurance Company of America (“Citizens”) issued a Commercial Lines Policy and Hanover Insurance Company (“Hanover”) issued a Commercial Follow Form Excess and Umbrella Liability Policy to Thermoflex. Gregory Gates, an employee of Thermoflex, filed a class-action lawsuit on behalf of himself and those similarly situated against Thermoflex, a company that specializes in the production of automotive accessories. Thermoflex collected employee handprint data for “authentication and timekeeping purposes.” Gates’ lawsuit alleged three counts for violation of BIPA against Thermoflex. When Thermoflex tendered its defense to Citizens and Hanover, both insurers denied coverage. Citizens and Hanover brought this declaratory judgment action alleging they had no duty to defend or indemnify Thermoflex for the claims asserted against it in the Gates lawsuit.
However, Thermoflex claimed the carriers had an obligation to defend it in the Gates lawsuit because the suit arises out of a “personal and advertising injury.” That term is defined by the policies to include “[o]ral or written publication[s], in any manner, of material that violates a person’s right of privacy.” The insurers argued that the Employment-Related Practice Exclusion, the Recording and Distribution of Material or Information Exclusion, and the Access or Disclosure of Confidential or Personal Information Exclusion apply and therefore bar coverage to Thermoflex.
Employment-Related Practice Exclusion
The insurers argued that claims for personal and advertising injuries do not extend to “[e]mployment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution directed at that person.” The court pointed out that “collection of handprints” was not expressly listed in the exclusion. The court noted that “the listed examples of “defamation, harassment, discrimination, and malicious prosecution” could be viewed as types of legal claims, whereas “demotion, evaluation, reassignment, and humiliation” could be viewed as employer conduct. The court noted that a BIPA privacy violation could be viewed as both. Thus, the court found that the “mixture of examples” in the exclusion “amplifies the ambiguity of the exclusions” and that the claims in the Gates lawsuit did not “unambiguously share ‘general similitude with … the matters specifically enumerated in the employment-related practices exclusion.’”
Recording and Distribution of Material or Information Exclusion
The catchall provision of the Recording and Distribution of Material or Information In Violation of Law Exclusion states that it excludes coverage for: “‘Personal and advertising injury’ arising directly or indirectly out of any action or omission that violates or is alleged to violate … (4) Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” The court, in citing to Krishna, supra, found that BIPA is facially not “of the same kind” as the enumerated statutes in the exclusion. The court found that at best, it was unclear whether BIPA was sufficiently similar to those other statutes enumerated in the catch-all provision of the exclusion, and at worst, BIPA is different in kind, as found in Krishna. The court found the exclusions, “may be viewed as ambiguous[.]”
Access or Disclosure of Confidential or Personal Information Exclusion
The policies state that the insurance does not apply to “‘Personal and advertising injury’ arising out of any access to or disclosure of any person’s or organizations confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” The court centered its analysis on whether “biometric information” or more narrowly, “handprint information” fell within the catch-all for “any other type of nonpublic information.” The court applied the doctrine of noscitur a sociis, finding that the catch-all provision should be interpreted “by the company it keeps.” The court found that the enumerated examples are types of “sensitive information traditionally kept private – whether for financial/proprietary reasons” and that handprints did not share the attributes of privacy or sensitivity. The court stated, “it is at best unclear whether BIPA treats handprints as ‘confidential and sensitive information.’”
Twin City Fire Ins. Co. v. Vonachen Services, Inc., Case No. 20-CV-1150-JES-JEH, 2021 WL 4876943 (C.D. Ill. Oct. 19, 2021)
A class action lawsuit was filed in the Illinois circuit court against Vonachen by employee Annastasia Rodriguez asserting violations of BIPA, as Vonachen required its employees to use their fingerprints as a means of authentication. Vonachen failed to inform its employees of the extent and purpose for collecting their biometric data, and failed to inform its employees of whether such data was disclosed to third parties.
Vonachen promptly provided notice of the Rodriguez lawsuit to its carrier, Twin City Fire Insurance Company (“Twin City”) and Twin City denied coverage. After issuing a second coverage denial, counsel for Vonachen provided a copy of the employee handbook to Twin City. Twin City then brough a declaratory action seeking a declaration that it owes no insurance obligations to Vonachen with respect to the underlying action. Thereafter, Jess Gumm filed a class action lawsuit against Vonachen also asserting BIPA violations. Twin City amended its declaratory judgment complaint also seeking a declaration that it did not owe any insurance obligations to Vonachen regarding the Gumm lawsuit.
The employee handbook requires employees to record their hours via a punch-in punch-out system with their fingerprints. The handbook indicates a failure to record timely could subject an employee to disciplinary action or termination. The handbook does not discuss privacy risks. The policy issued by Twin City contained two coverages parts – Directors, Officers and Entity Liability Coverage Part (“D&O), and Employment Practices Liability Coverage Part (“EPL”).
D&O:
Twin City raised the argument that two exclusions applied – the insured v. insured exclusion and the invasion of privacy exclusion. Regarding the insured v. insured exclusion, Vonachen argued that an exception to the insured v. insured exclusion applied – the whistleblower exception. The Insured v. Insured Exclusion states that “The insurer shall not pay Loss…(G) in connection with any Claim brought or maintained by or on behalf of any Insureds (in any capacity) or any security holder of an Insured Entity…” Twin City argued that because Vonachen is an insured entity and an employee brought a claim on behalf of herself and other employees against Vonachen, the exclusion applied.
Vonachen argued the Whistleblower exception to the exclusion applied. Vonachen argued that the plaintiffs in the underlying actions fit the definition of “whistleblowing” because they are “insured persons” under the policy who lawfully provided information via their complaints for alleged BIPA violations. The policy’s Whistleblower exception states “this exclusion shall not apply to the portion of Loss directly resulting from … (9) a civil proceeding as a result of Whistleblowing.” The court found that the exclusion did not apply because the Whistleblower exception was so broad that there was a reasonable disagreement as to the applicability of the exclusion, therefore, the exception to the exclusion applied.
Regarding the invasion of privacy exclusion, it states that the insurer “shall not pay Loss under Insuring Agreement (C) in connection with any Claim based upon, arising from, or in any way related to any actual or alleged … invasion of privacy.” The court found the “arising from, or in any way related” language to be a very broad application of the exclusion to invasion of privacy. Therefore, the court held the exclusion barred coverage under the D&O policy for Vonachen.
EPL:
Regarding EPL coverage, Vonachen argued that an “Employment Practices Wrongful Act” included a “breach of any oral, written or implied employment contract, including, without limitation, any obligation arising from a personnel manual, employee handbook.” The handbook required Vonachen to use the timekeeping system, and stated that Vonachen would comply with all “applicable laws and regulations.” The court found the terms “arising from” and “obligation” under the “Employment Practices Wrongful Act” were broad terms and that the policy specifically stated there were no limitations on the inclusion of those obligations. The court stated that “based on the repeated allegations that Vonachen required employees to record their time using their biometrics; the Handbook describing the employees’ required compliance with timekeeping obligations or face discipline as well as Vonachen’s agreement to comply [with] laws associated with the Handbook, which could be construed as a contract; and the language in the Policy covering ‘breach[es] of any oral, written, or implied employment contract, including, without limitation, any obligation arising from a personnel manual, employee handbook, or policy statement,’ the Court finds the allegations in the underlying complaints potentially fall within the EPL coverage.”
The court further found that the underlying complaints encompassed an “Employee Data Privacy Wrongful Act,” which includes “an employment-related invasion of privacy, including, without limitation, an Employee Data Privacy Wrongful Act.” The policy defined an “Employee Data Privacy Wrongful Act” as “The failure to notify any Employee or applicant for employment with the Insured Entity of any actual or potential authorized access to or use of Private Employment Information of any Employee or applicant for employment with the Insured Entity, if such notice was required by state or federal regulation or statute.” In finding that the BIPA violations fit within this definition, the court held Twin City had a duty to defend under the EPL policy based on the allegations in the underlying complaints and “the broad language [Twin City] chose to include in its coverage.”
Massachusetts Bay Ins. Co. v. Impact Fulfillment Services, LLC, Case No. 1:20CV926, 2021 WL 4392061 (M.D.N.C. Sept. 24, 2021)
Massachusetts Bay Insurance Company and Hanover Insurance Company (the “Insurers”) issued policies to Impact Fulfillment Services with IFS Holdings named as an additional insured (the “Insureds”). The Insureds used their employees’ fingerprints as part of their payroll and time-keeping system. The employees sued the Insureds for violation of BIPA. Thus, the Insurers brought this declaratory judgment action claiming that they owed no duty to defend or indemnify the Insureds based on the class action lawsuit brought against the Insureds by its employees for violation of BIPA. The Court analyzed the Recording and Distribution of Material or
Information Exclusion, which states:
This insurance does not apply to:
….
“Personal and advertising injury” arising directly or indirectly out of any action or omission that violates or is alleged to violate:
(1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law;
(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law;
(3) The Fair Credit Reporting Act (FCRA), and any amendment of or addition to such law, including the Fair and Accurate Credit Transactions Act (FACTA); or
(4) Any federal, state or local statute, ordinance or regulation, other than the TCPA, CAN-SPAM Act of 2003 or FCRA and their amendments and additions, that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.
The court found that the exclusion applied to any statute that prohibits or limits “the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” The court noted that BIPA regulates the retention, collection, disclosure, and destruction of biometric identifiers or biometric information, and the language of the exclusion in the policies bars the “collect[ion]” and “dissemination” of information. The court, applying the doctrine ejusdem generis, found that BIPA is of the same kind, character and nature as the enumerated statutes in the exclusion. Additionally, the court found that the main purpose of the exclusion was to exclude from coverage statutes that protect and govern privacy interests in personal information.
Citizens Ins. Co. of Am. v. Wynndalco Enterprises, LLC, Case No. 20 C 3873, 2022 WL 952534 (N.D. Ill. Mar. 30, 2022)
Clearview AI, a software recognition company allegedly extracted photographs from social media and content sharing platforms and collected more than three billion facial scans to create a database of fascial scans. Wynndalco Enterprises, LLC (“Wynndalco”), an information technology company, licensed and sold access to Clearview’s database, prompting class action lawsuits by Melissa Thornley and Mario Calderon, individually and on behalf of the class, asserting violations of BIPA.
Citizens Insurance Company of America (“Citizens”) sold a business liability insurance policy to Wynndalco. Wynndalco notified Citizens of the lawsuits filed by Thornley and Calderon and requested that Citizens provide it a defense. Citizens brought this declaratory judgment action seeking a declaration that its policy does not provide coverage for the two underlying lawsuits. The policy at issue is a Business Owners Insurance Policy which provides coverage for “personal and advertising injury.” Citizens claimed the Distribution of Material In Violation of Statutes Exclusion applied.
The policy exclusion states that the policy does not provide coverage for “‘Personal and advertising injury’ arising directly or indirectly out of any act or omission that violates or is alleged to violate … The Telephone Consumer Protection Act (TCPA) [47 U.S.C. § 227 et seq.] including any amendment of or addition to such law; or (2) The CAN-SPAM Act of 2003 [15 U.S.C. § 7701 et seq.], including any amendment of or addition to such law; (3) The Fair Credit Reporting Act (FCRA) [15 U.S.C. § 1681 et seq.], and any amendment of or addition to such law, including the Fair and Accurate Credit Transaction Act (FACTA); or (4) Any other laws, statutes[,], ordinances[,] or regulations, that address, prohibit or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”
The issue in this case was whether the Distribution of Material in Violation of Statutes Exclusion applied. The court found that the language of the exclusion was ambiguous on its face. Additionally, the court indicated that the canons noscitur a sociis and ejusdem generis were unhelpful, as the enumerated statutes did not contain any similarities to one another other than the fact that they all generally protected “privacy.” Additionally, the court found that privacy in the BIPA context meant something much different than in the context of the TCPA and CAN-SPAM ACT. For instance, the court noted that the TCPA protects privacy by regulating unauthorized communications that citizens receive, while BIPA protects privacy against identity theft. In finding the exclusion ambiguous, the court held that the lawsuits triggered Citizens’ duty to defend Wynndalco.
State Auto. Mut. Ins. Co. v. Tony’s Finer Foods Enterprises, Inc., Case No. 20-CV-6199, 2022 WL 683688 (N.D. Ill. Mar. 8, 2022)
Charlene Figueroa, a former employee of Tony’s, filed a lawsuit against Tony’s for violation of BIPA. Ms. Figueroa worked for Tony’s from March of 2017 through September of 2018. Tony’s took the fingerprints of its employees to clock in and out of work. Tony’s notified its broker (Assurance) of the lawsuit sometime between January and March of 2019. Tony’s had a CGL policy with State Automobile Mutual Insurance Company (“State Automobile”) from 2013 to 2016. Assurance did not provide notice of the lawsuit against Tony’s to State Automobile. Instead, Assurance provided notice to Tony’s other carriers under different policies.
On September 8, 2020, Tony’s tendered its defense to State Automobile. Thereafter, State Automobile filed this declaratory action. State Automobile argued the employment-related practices exclusion precluded coverage under the policy, and Tony’s breached the notice condition of the policy. The employment-related practices exclusion excludes coverage for
“Personal and advertising injury” to:
- A person arising out of any:
- Refusal to employ that person;
- Termination of that person’s employment; or
- Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, or discrimination directed at that person; …
The issue in this case was whether the BIPA violation was about an injury arising out of “employment-related practices.” The court found that the exclusion’s first two provisions (hiring and firing) shed light on the third provision to suggest that it applies to an adverse employment action, and not any and all claims about something that happens at work. The court noted that the “such as” language in the third provision was illustrative, as it is followed by a list of examples of treating an employee badly. The court found that scanning a finger was not a disciplinary action, and adding fingerprinting to the list would “stick out like a sore thumb,” as it is a “categorically different type of practice than everything else in the list.” The court held that the BIPA claims did not fall within the employment-related practices exclusion. Additionally, the court held that although Tony’s provided late notice to State Automobile, State Automobile suffered no prejudice.
Am. Family Mut. Ins. Co. v. Caremel, Inc., Case No. 20 C 637, 2022 WL 79868 (N.D. Ill. Jan. 7, 2022)
This action is a declaratory judgment action filed by American Family Mutual Insurance Company (“American Family”) based upon the underlying BIPA lawsuit brought against its insured, Caremel, Inc. (“Caremel”). American Family asserted that it had no duty to defend Caremel against the allegations asserted in the underlying lawsuit. American Family issued commercial general liability insurance policies to Caremel’s affiliate company, Swedeco, which operates McDonald’s restaurants in Illinois. Ross, an employee of McDonald’s sued Caremel individually and on behalf of a class of those similarly situated on the basis that Caremel violated BIPA when it required its employees to use a biometric time clock system which involved scanning their fingerprints whenever an employee commenced or stopped work. The identifying information was then disclosed by Caremel to a third-party timekeeping vendor. Caremel sought coverage under the policy, which stated “we will pay those sums the insured becomes legally obligated to pay as damages because of ‘bodily injury,’ ‘property damage’ or ‘personal and advertising injury’ to which this insurance applies.’ American Family denied coverage based on (1) the “Access or Disclosure Exclusion, (2) the “ERP Exclusion,” and (3) the “Violation of Statute Exclusion.”
The Access or Disclosure Exclusion excludes coverage “for personal and advertising injury … arising out of any access to or disclosure of any person’s … confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” The court found that the Access or Disclosure Exclusion did not apply to the underlying lawsuit because based on the doctrine of ejusdem generis, the examples proceeding “any other type of nonpublic information” could not be interpreted to include fingerprints.
Next, the policy’s ERP Exclusion indicates it applies to suits alleging claims “arising out of any … employment related practice, policies, acts omissions, such as coercion, demotion, reassignment discipline, defamation, harassment, humiliation or discrimination directed at the person….” The court found that the practices listed in the exclusion were of the same nature as a BIPA violation because “coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation” each reflect practices that can cause an individual harm to an employee, and the same is true for a BIPA violation.
Finally, the court found that the Violation of Statute Exclusion contained nearly identical terms to the policy in Krishna, supra, and American Family failed to differentiate the terms from the exclusion in Krishna. Thus, the court held that the exclusion did not apply for the underlying lawsuit brought by Joseph Ross. However, American Family nevertheless had no duty to defend Caremel based on the ERP exclusion.
Am. Family Mut., Ins. Co., S.I. v. Carnagio Enterprises, Inc., Case No. 20 C 3665, 2022 WL 952533, at *1 (N.D. Ill. Mar. 30, 2022)
Carnagio Enterprises, Inc. (“Carnagio”) is a McDonald’s franchisee that was sued by its employees in a class action lawsuit for violation of BIPA. Carnagio informed its insurers, American Family Mutual Insurance Company and Austin Mutual Insurance Company, of the suit and requested coverage. Carnagio’s insurers brought this lawsuit seeking a declaration that they had no duty to defend Carnagio against the claims of its former employees in the underlying lawsuit. All parties agreed that the lawsuit arising under BIPA constituted a claim asserting a “personal injury” that triggered coverage under the policies. However, the parties disputed the applicability of the policies’ exclusions. First, the court analyzed the Employment Related Practices exclusion which precludes coverage for:
- “Bodily injury” or “personal and advertising injury” to:
- A person arising out of any:
- Refusal to employ that person;
- Termination of that person’s employment; or
- Employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation or discrimination directed at that person….
- A person arising out of any:
The court noted that district courts were split on the issue as to whether BIPA claims are unambiguously excluded by the ERP exclusion. However, the court found that Carnagio’s practice of requiring its employees to provide their fingerprints applied generally to all employees. Thus, applying the doctrine of noscitur a sociis, the court found that the exclusion did not apply. In support of its finding, the court noted that just because an alleged injury takes place at work does not by itself trigger the exclusion. Additionally, the court found that the phrase “such as” is a phrase of “general similitude indicating that there are includable other matters of the same kind which are not specifically enumerated[.]”
The court also analyzed the “Distribution Of Material In Violation Of Statutes” exclusion which precludes coverage for injuries arising out of:
(1) The Telephone Consumer Protection Act (TCPA), including any amendment or addition to such law; or
(2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law; or
(3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmitting, communicating or distribution of material or information.
The court cited to Krishna, supra, and found that the application of ejusdem generis yielded the same result as in Krishna pursuant to the fact that the exclusion’s enumerated statutes were found to be materially different from BIPA. The court found that BIPA protected a different kind of privacy than the enumerated statutes.
Finally, the court analyzed the Access Or Disclosure Of Confidential Or Personal Information and Data-related Liability exclusion applicable to the Austin Mutual policy only. The court found the language of this exclusion (“any access to or disclosure of any person’s …personal information”) to be unambiguous. The court noted that the Access/Disclosure exclusion not only applied to “confidential” information, but also to an individual’s “personal” information, and Carnagio did not explain why biometric information would not constitute “personal” information as that term appeared in the exclusion. The court also found that the complaint in the underlying action alleged damages arising out of a third-party’s access to or Carnagio’s disclosure of personal information, placing it clearly within the scope of the exclusion. Consequently, the court held that the American Family policy provided coverage to Carnagio, but the Austin Mutual policy did not.