In the United States Court of Appeals For the Seventh Circuit ____________________

Nos. 23-1521 & 23-1578 THERMOFLEX WAUKEGAN, LLC, Plaintiff-Appellant, Cross-Appellee,

v.

MITSUI SUMITOMO INSURANCE USA, INC., Defendant-Appellee, Cross-Appellant. ____________________

Appeals from the United States District Court for the Northern District of Illinois, Eastern Division. No. 21 C 788 — John Z. Lee and Thomas M. Durkin, Judges. ____________________

ARGUED JANUARY 17, 2024 — DECIDED MAY 17, 2024 ____________________

Before FLAUM, EASTERBROOK, and PRYOR, Circuit Judges. EASTERBROOK, Circuit Judge. Thermoflex Waukegan re- quired hourly workers to use handprints to clock in and out. This led to a claim that doing so without workers’ wriXen con- sent, and using a third party to process the data, violated the Biometric Information Privacy Act, 740 ILCS 14/1 to 14/20 (BIPA or the Act). Thermoflex had multiple insurance policies in force during the years in question, including three from Mitsui Sumitomo Insurance. We call these the Basic, Excess, 2 Nos. 23-1521 & 23-1578

and Umbrella policies. Mitsui declined to defend or indem- nify Thermoflex, leading to this suit under the diversity juris- diction. (The litigation between Thermoflex and its workers is in state court.) Before his appointment to this court, Judge Lee concluded that an exclusion in the Basic policy renders it inapplicable to any claim based on the Act. 595 F. Supp. 3d 677 (N.D. Ill. 2022). The exclusion provides that the insurance does not apply to [claims] arising out of any access to or disclosure of any person’s or organization’s confidential or personal infor- mation, including patents, trade secrets, processing methods, cus- tomer lists, financial information, credit card information, health information or any other type of nonpublic information.

Judge Lee thought its application straightforward: the Act identifies biometric information as confidential (“nonpub- lic”), see 740 ILCS 14/10, 14/15(e)—and, although the effect of the exclusion depends on the meaning of the policy rather than the meaning of the Act, the ordinary understanding of “confidential or personal information” includes handprints and other biometric identifiers usable for identity theft. Illinois enforces unambiguous language in insurance pol- icies. See, e.g., Sanders v. Illinois Union Insurance Co., 2019 IL 124565 ¶23. Thermoflex maintains that this policy is ambigu- ous because the exclusion mentions patents, which are public. True, the list contains mismatched items. But how does this create ambiguity about either the opening phrase (“any per- son’s or organization’s confidential or personal information”) or the catchall (“any other type of nonpublic information”)? Sticking one blue item into a list that begins “all red items in- cluding …” and closes “plus anything pink” does not nullify the language’s application to ruby-colored things. See, e.g., Nos. 23-1521 & 23-1578 3

CSX Transportation, Inc. v. Alabama Department of Revenue, 562 U.S. 277, 295 (2011) (explaining that the ejusdem generis canon does not limit general language just because items in a list are dissimilar). Thermoflex also relies on Citizens Insurance Co. v. Wynndalco, 70 F.4th 987 (7th Cir. 2023), which holds that, un- der Illinois law, an exclusion for coverage of claims based on “laws, statutes, ordinances, or regulations, that address, pro- hibit or limit the printing, dissemination, disposal, collecting, recording, sending, transmiXing, communicating or distribu- tion of material or information” does not apply to a claim un- der BIPA. Wynndalco concluded that a broad reading of this exclusion would nullify coverages expressly provided else- where in the policy. It did not take long for a state appellate court to hold that Wynndalco misunderstood Illinois law and that such a clause in an insurance policy indeed blocks cover- age of claims under BIPA. National Fire Insurance Co. v. Visual Pak Co., 2023 IL App (1st) 221160. We need not try to predict whether the Supreme Court of Illinois is more likely to follow Visual Pak than to follow Wynndalco. It is enough that the ex- clusion in this policy does not have the flaw that led to the decision in Wynndalco. It leaves plenty of room for coverage of the main insured hazards. That’s all we need to say about the Basic policy. The Excess and Umbrella policy has two parts. Coverage E (for “Excess”) contains the same exclusions as the Basic pol- icy, because it incorporates all limitations in the Basic policy. District Judge Durkin, who handled the case after Judge Lee was appointed to this court, held that Coverage E does not apply to claims under the Act. 2023 U.S. Dist. LEXIS 9282 at *10–12 (N.D. Ill. Jan. 19, 2023). Because we agree with Judge 4 Nos. 23-1521 & 23-1578

Lee’s understanding of the Basic policy, we also agree with this aspect of Judge Durkin’s understanding of Coverage E, which means that the Excess coverage drops out. Coverage U (for “Umbrella”) lacks an exclusion relating to nonpublic information. (It does not maXer what Coverage U includes; the parties agree that it covers BIPA claims unless something excludes coverage.) Judge Durkin found that none of the three arguably applicable exclusions to Coverage U is so clear that it forecloses a duty to provide Thermoflex with a defense in the state-court suit. Id. at *12–29. This federal case is about the duty to defend, not the duty to indemnify. (It would be premature to consider indemnity, as the underlying litigation has not been resolved. See Lear Corp. v. Johnson Elec- tric Holdings Ltd., 353 F.3d 580 (7th Cir. 2003).) In Illinois gen- uinely ambiguous provisions are construed in favor of cover- age. See, e.g., Rich v. Principal Life Insurance Co., 226 Ill. 2d 359, 371 (2007). The parties call the first of these exclusions the “Statutory Violation Exclusion”. It blocks coverage of maXers arising directly or indirectly out of violations of or alleged viola- tions of: (1) the Telephone Consumer Protection Act (TCPA), including any amendments thereto, and any similar federal, state, or local laws, ordinances, statutes, or regulations; (2) the CAN-SPAM Act of 2003, including any amendments thereto, and any similar federal, state, or local laws, ordinances, statutes, or regulations; (3) the Fair Credit Reporting Act (FCRA), including any amend- ments thereto, such as the Fair and Accurate Credit Transaction Act (FACTA), and any similar federal, state, or local laws, ordi- nances, statutes, or regulations; or Nos. 23-1521 & 23-1578 5

(4) any other federal, state, or local law, regulation, statute, or or- dinance that restricts, prohibits, or otherwise pertains to the col- lecting, communicating, recording, printing, transmiXing, send- ing, disposal, or distribution of material or information.

Thermoflex maintains that this is another exclusion of the kind we addressed in Wynndalco; Mitsui asks us to overrule Wynndalco in light of Visual Pak. But we put both Wynndalco and Visual Pak aside and instead ask, as Judge Durkin did, how West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, applies to an exclusion with this structure. The exclusion in Krishna blocked coverage of: (1) The Telephone Consumer Protection Act (TCPA), including any amendment of or addition to such law; or (2) The CAN-SPAM Act of 2003, including any amendment of or addition to such law; or (3) Any statute, ordinance or regulation, other than the TCPA or CAN-SPAM Act of 2003, that prohibits or limits the sending, transmiXing, communicating or distribution of material or infor- mation.

The Supreme Court of Illinois held that the third part of this exclusion—“[a]ny statute … that prohibits or limits the send- ing [etc.] of material or information”—did not apply to BIPA claims. True, that Act “limits” the use of biometrics in the sense that it requires the consent of the person whose infor- mation is involved. But the Supreme Court of Illinois did not see this as similar to the two listed statutes, and, applying the ejusdem generis canon, it held that clause (3) of this exclusion deals only with statutes that are like the first two in some way. Deeming BIPA unlike TCPA and CAN-SPAM (whose scope we need not elaborate), Krishna held the exclusion too 6 Nos. 23-1521 & 23-1578

uncertain in scope to foreclose coverage of BIPA maXers. 2021 IL 125978 ¶¶ 55–59. The Statutory Violation Exclusion to Coverage U in Ther- moflex’s policy begins with the same two statutes as the pol- icy in Krishna and adds a third, the Fair Credit Reporting Act. One need not get beyond the name of that statute to see how different it is from BIPA. In this diversity suit, we are bound by the way the Supreme Court of Illinois has treated language structured like the Statutory Violation Exclusion, so we agree with the district court that this exclusion from Coverage U does not apply to BIPA. The next arguably applicable exclusion bears the caption “Data Breach Liability”. It provides that the policy does not cover 1) … [loss] arising out of disclosure of or access to private or con- fidential information belonging to any person or organization; or 2) any loss, cost, expense, or “damages” arising out of damage to, corruption of, loss of use or function of, or inability to access, change, or manipulate “data records”. This exclusion also applies to “damages” for any expenses in- curred by “you” or others arising out of 1) or 2) above, including expenses for credit monitoring, notification, forensic investiga- tion, and legal research.

Like the district court, we think that the body of this exclusion must be understood to match its caption—that is, to situations in which hackers obtain access to personal information. Alt- hough BIPA surely involves “disclosure of” information, its principal concern is disclosure to Thermoflex (and its contrac- tors), not to hackers who get data from Thermoflex. The refer- ence to credit monitoring expenses and forensic investigation drive home the point that the “data breach” caption Nos. 23-1521 & 23-1578 7

accurately describes the scope of this exclusion. The meaning of all language depends on context rather than isolated phrases, and the language of this exclusion as a whole shows that it does not apply to all violations of BIPA. We grant that, if Thermoflex and contractors do not have workers’ biometric information, it is less likely to be available to hackers. Inadequate control of biometric information that leaks out could violate BIPA, which requires entities that col- lect biometric information to keep it confidential. The data- breach exclusion would apply to situations in which hackers obtained biometric information from Thermoflex. That’s not what the underlying state suit is about, however. This brings us to the third exclusion, which the parties call the “ERP exclusion” (for “employment-related practices”). This bars coverage of injury arising out of: a) refusal to employ that person; b) termination of employment of that person; or c) coercion, demotion, evaluation, reassignment, discipline, defa- mation, harassment, humiliation, malicious prosecution, discrim- ination, sexual misconduct, or other employment-related prac- tices, policies, acts, or omissions directed towards that person[.]

Parts (a) and (b) of this exclusion don’t have anything to do with BIPA claims. Mitsui relies on part (c), observing that col- lecting and processing handprints to determine how much time an employee spends at work is an “employment-related practice[]”. Granted. But is that practice “directed towards” any given worker? Like the district court, we understand “di- rected towards that person” as identifying acts that are em- ployee-specific—much as parts (a) and (b) are employee (or applicant) specific. A general policy requiring all hourly workers to place their hands on a scanner is an employment- 8 Nos. 23-1521 & 23-1578

related practice but is not “directed towards” any given em- ployee. It is just a term or condition of employment, and this exclusion taken as a whole is not concerned with the terms and conditions of employment. As far as we can see, the Illinois judiciary has yet to ad- dress how language such as the Data-Breach Liability exclu- sion and the ERP exclusion applies to claims under BIPA. In the absence of an authoritative decision, our understanding of all three exclusions has been informed by Krishna. The Umbrella policy provides for defense and indemnity only after underlying insurance (and deductibles, which the policies call self-insured retentions) has been exhausted. This opinion does not address indemnity. Because Thermoflex has at least one other policy that applies to the BIPA claims, see Citizens Insurance Co. v. Thermoflex Waukegan, LLC, 588 F. Supp. 3d 845 (N.D. Ill. 2022), the duty to defend does not begin until the limits of that policy (plus deductibles) have been exhausted. With that proviso—which is part of the dis- trict court’s decision and judgment, see 2023 U.S. Dist. LEXIS 9282 *31–32—we hold that Mitsui owes Thermoflex a defense under the Umbrella policy. AFFIRMED