Insurance Coverage for Biometric Privacy Statute Suits: Recent Developments
In the last year, biometric privacy related litigation has been steadily increasing, and so have the insurance coverage disputed related to them. Illinois has been the center of this litigation in the last year due to its expansive Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”), which was enacted in 2008. BIPA is intended to protect the privacy interests related to an individual’s unique biometric identifiers such as fingerprints, facial geometry, and retina and iris scans and creates a private right of action for individuals to seek statutory liquidated damages. Since BIPA’s enactments, additional states, such as California, New York and Massachusetts have introduced legislation based on BIPA.
The Illinois Supreme Court and district courts in Illinois have recently addressed claims brought pursuant to BIPA, including cases involving insurance coverage for those claims. These recent decisions will have broad implications for cases arising under BIPA and will contribute to the already robust volume of BIPA litigation, including the attendant coverage actions. To complicate matters more, on February 2, 2023, the Illinois Supreme Court unanimously held a five-year statute of limitations period applies to claims brought under all sections of BIPA. Tims v. Black Horse Carriers, Inc., No. 2019-CH-03622, 2019 WL 13079191, at *2 (Ill. Cir. Ct. Sep. 23, 2019). And on March 16, 2023, an Illinois court granted class certification to a group of employees who alleged their employer H&M violated their privacy by requiring them to scan their fingerprints to clock in and out while not properly collecting, storing or using the data pursuant to BIPA. Slater v. H&M, 2018 WL 6921177 (Ill. Cir. Ct. 2018). While this is certainly not the first instance in which a court has certified a class action with underlying BIPA claims, such decisions give BIPA plaintiffs momentum and disseminate a message that BIPA litigation is not slowing down. Indeed, on the same day as the decision in H&M was entered, Amazon became the first major corporation to be sued in a proposed class action lawsuit under New York City’s Biometric Privacy Act.
These recent BIPA developments continue to expand potential liability for businesses, necessitating an understanding as to when and under what circumstances insurance may help cover the costs.
Policies That May Respond To BIPA Claims
Suits for violations of BIPA to date have mostly been brought by an employee of a company or as a class action on behalf of a class of employees. In most cases, companies should look to their commercial general liability (“CGL”), employment practices liability and cyber insurance policies for possible coverage. Insurers have raised several coverage defenses, most of which are based on policy exclusions, including, (1) the employment related practices exclusion, (2) the violation of statutes exclusion, and (3) the access or disclosure exclusion. The case law as to whether insurers must defend BIPA suits is mixed and depends on the policy language so insureds should carefully review their policies and press their insurers for coverage
Coverage Under CGL Policies
Courts have come to varying conclusions as to whether CGL policies cover BIPA claims. In 2022, the Supreme Court of Illinois found the insurer owed a defense under its CGL policy for a BIPA suit, holding the policy provided coverage for “personal injury.” Specifically the court in West Bend Mutual Insurance Company v. Krishna Schaumberg Tan, Inc., found the policy provided coverage and rejected the insurer’s assertion the term “publication” in the covering provision requires “distribution” of “material that violates a person’s right of privacy.” The court explained the term “publication” is ambiguous as it can have more than one meaning—a “publication” can occur when where the information is shared only with one other party. Most recently, in Continental v. Cheese Merchants, the Northern District of Illinois found coverage was precluded based on several exclusions in the policy. In Cheese Merchants, an employee alleged the biometric time tracking system that used hand scans for authentication violated BIPA because the company purportedly gathered the biometric data without the employee’s consent. The insurer sought declaratory judgment that it had no duty to defend the company under the policy based on (1) the “employment-related practices” exclusion; (2) the “disclosure of personal information” exclusion; and (3) the “violation of law” exclusion. The court held the employment-related practices exclusion does not preclude coverage because the requirement that employees clock in and out by scanning the backs of their hands did not come within the employment related practices intended to be excluded. However, the court held the other exclusions raised by the insurer were applicable and precluded coverage. With respect to the disclosure of personal information exclusion, the court reasoned the purpose of BIPA is to protect personal information and disagreed with the insured that the “disclosure of personal information” was not “health information” as one of the enumerated categories in the exclusion. The court explained, “health information” is similar, and likely even encompasses, “information about one’s body (like the hand scans here).” The court also determined that the “violation of law” exclusion “sweeps broadly,” finding that its broad nature encompassed plaintiff’s claims under BIPA. Id. at *10. Contrary to the Cheese Merchants court, in Thermoflex Waukegan LLC v. Mitsui Sumitomo Insurance USA Inc., the district court in Chicago ruled Mitusi had a duty to defend its insured for a BIPA suit under its umbrella policies. The court found the statutory violation exclusion is ambiguous and the data breach exclusion had to be construed in favor of coverage because it was limited to data breaches.
These recent decisions almost certainly will result in a significant increase in litigation, damages, and costs surrounding BIPA claims. With the increased use of biometric technology, private entities which collect and use biometric data should implement greater safeguards to ensure such data is transmitted only with the subject’s consent. Further, ensuring robust privacy policies and data protection programs can help mitigate risk and ensure legal compliance. Any applicable policies should be closely reviewed for coverage, including CGL, employment practices liability insurance, and cyber insurance policies. Given that the bulk of coverage defenses are focused on exclusions, which must be narrowly construed in favor of coverage, insureds should press for coverage (unless and until insurers begin to specifically exclude BIPA claims). Insurers, on the other hand, should consider the risks and exposure associated with taking on clients that rely on biometric systems.