BIPA INSURANCE ALERT
Courts Interpret BIPA Liability and Damages Broadly
Insurance Available for BIPA Claims
BIPA Statutory Overview
The Illinois Biometric Information Privacy Act (“BIPA”) presents substantial potential liability to any company doing business in the state. It provides for draconian damages for the use of biometric information that is commonplace in other states. Because Illinois’ BIPA statute is unique in that it provides for private rights of action, it has produced a tsunami of class action lawsuits against companies, big and small.
In 2008, Illinois became the first state to enact a biometric privacy law that restricts a private company’s ability to collect, store, or transmit employees’ biometric information. “Biometric information” protected under BIPA includes facial-recognition technology, fingerprint scans, iris and retina scans, palm-print readings, and voiceprints. 740 ILCS 14/10.
BIPA prohibits a private company from collecting, storing, or transmitting biometric information unless it first: (1) informs the subject in writing that the biometric information is being collected or stored; (2) informs the subject in writing of the specific purpose and length of time for which that biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject. 740 ILCS 14/15(b).
Additionally, the company must develop a public-facing written policy which establishes a retention schedule and guidelines for permanent destruction of the biometric information collected. 740 ILCS 14/15(a). The company may only disclose or disseminate any biometric information it collects after it obtains consent or authorization from the subject. 740 ILCS 14/15(d).
BIPA establishes liquidated damages for violations of BIPA as follows: a negligent violation of the Act incurs liquidated damages of $1,000 or actual damages, whichever is greater. An intentional violation incurs liquidated damages of $5,000 of actual damages, whichever is greater. Additionally, the statute requires that a prevailing plaintiff may recover reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses. 740 ILCS 14/20.
In short, if a company requires employees to clock into work via a fingerprint scan or retina scan (for example), that company is required to comply with BIPA’s requirements. Failure to obtain its employees’ consent, establish a written policy regarding the handling of biometric data, and take reasonable care in securing that data gives rise to the potential for a class action BIPA claim in which the potential liability is considerable.
Courts Interpret BIPA Liability and Damages Broadly
The Illinois courts have interpreted BIPA expansively. In the last several years, Illinois courts have clarified and strengthened certain provisions of BIPA. For example, the Illinois Supreme Court held that a plaintiff does not need to show actual damages to sustain a BIPA claim; instead, there are presumed damages because the company’s violation of BIPA destroys an individual’s right to maintain his or her biometric privacy. Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 34.
In Cothron v. White Castle System, Inc., 2023 IL 128004, the Illinois Supreme Court held that a BIPA violation occurs with every scan of biometric data, and not just the first scan. Nonetheless, the Cothron court endorsed a court’s discretion to fashion a damage award that both fairly compensates class members and includes an amount designed to deter future violations, without destroying defendant’s business. Cothron, at ¶ 42. How this discretion will be employed by courts remains to be seen. Lastly, the Illinois Supreme Court also decided that the statute of limitations for BIPA claims extends to five years. Tims v. Black Horse Carriers, Inc., 2023 IL 127801.
This combination of Supreme Court decisions points towards a perilous result for potential BIPA defendants: every scan, for every person, for five years can each yield at least a $1,000 damages award.
The exponential growth in the use of biometric data in the last decade has increased companies’ potential BIPA exposure and caught the attention of the plaintiffs’ class action bar. Possibly due to the novelty of BIPA, many companies – including some of the biggest in the world – apparently failed to appreciate the scope and onerous penalties imposed by the statute. Currently, thousands of BIPA class action lawsuits are pending. Some have resulted in dramatic settlements. For example, in 2020, Meta (formerly Facebook) settled a BIPA class action suit for $650 million. Accordingly, a class action BIPA lawsuit poses an existential threat for some potential and current defendants.
What Insurance Is Available for BIPA Claims?
Insurance that may be available to defend and indemnify BIPA claims include coverage for commercial general liability (“CGL”), Employment Practices Liability (“EPL”), Directors and Officers Liability (“D&O”), or other coverages for data or cyber breaches. If a BIPA claim is brought, you should immediately review all potential policies, contact your broker, and/or consult with coverage counsel. Any potential insurers should be placed on notice in a timely fashion. If a claim “potentially” falls within the coverages of an insurance policy, the insurer has—in most cases—a duty to defend the insured against the claim. Ultimately, however, a court may definitively find that coverage does not exist, eliminating the insurer’s duty to defend or duty to indemnify the insured for the ultimate BIPA damages.
The Insuring Agreement of the following types of policies may provide coverage for a BIPA claim, subject to potential exclusions and conditions which are discussed further below.
CGL Coverage:
The insuring agreement of a CGL policy can provide coverage for a “personal injury” or “advertising injury” that arises out of an “oral or written publication of material that violates a person’s right to privacy.” The Illinois Supreme Court has decided that allegations that a company shared biometric information with a third-party without prior authorization from the employee can trigger this coverage agreement. See West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, ¶¶ 36-51. Federal courts have agreed. See Continental Western Ins. Co. v. Tony’s Finer Foods Enters., Inc., 2023 WL 4351469, at *5-6 (N.D. Ill. July 5, 2023).
Unsurprisingly, litigation regarding several exclusions commonly located in CGL policies has risen. State and federal courts have examined three CGL exclusions in detail: the (1) employment related practices exclusion; (2) the access/disclosure exclusion; and (3) the violation of laws exclusion. Below is a general overview of typical language used in these exclusions and how the courts have interpreted, however, a careful examination of the precise text of each exclusion is paramount: small differences may spell noncoverage.
CGL Coverage: Employment-Related Practices Exclusion
The employment-related practices exclusion exempts coverage arising out of any “[e]mployment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution directed” at an employee. Most federal courts which have examined this exclusion have determined that allegations of BIPA violations do not trigger this exclusion because the BIPA related allegations are distinctly different from the kinds of practices listed in the exclusion. See Continental Western Ins. Co. v. Tony’s Finer Foods Enters., Inc., 2023 WL 4351469 (N.D. Ill. July 5, 2023); Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins., 2023 WL 319235 (N.D. Ill. Jan. 29, 2023); Am. Family Mut. Ins. Co., S.I. v. Carnagio Enters., Inc., 2022 WL 952533 (N.D. Ill. Mar. 30, 2022).
One court, however, disagreed. A federal court held that a BIPA violation constitutes individual harm, like the practices and acts listed in the exclusion, and, thus, triggered the exclusion to eliminate coverage. Am. Fam. Mut. Ins. Co. v. Caremel, Inc., 2022 WL 79868, at *4 (N.D. Ill. Jan. 7, 2022).
CGL Coverage: Access/Disclosure Exclusion
Courts are split on whether the “Access or Disclosure of Confidential or Personal Information” exclusion bars coverage for BIPA claims. This exclusion precludes coverage for any injury “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.” The question that arises is as follows: is biometric information “confidential or personal information”?
Among the courts that answer that question in the affirmative and decided that BIPA allegations are excluded from coverage due to the Access/Disclosure Exclusion: Am. Family Mut. Ins. Co., S.I. v. Carnagio Enters., Inc., 2022 WL 952533 (N.D. Ill. Mar. 30, 2022); Continental Western Ins. Co. v. Cheese Merchants of America, LLC, 2022 WL 4483886 (N.D. Ill. Sept. 27, 2022); Thermoflex Waukegan, LLC v. Mitsui Sumitomo Ins. USA, Inc., 2023 WL 319235 (N.D. Ill. Jan. 19, 2023).
Conversely, several courts have found that the Access/Disclosure Exclusion does not bar coverage: Am. Fam. Mut. Ins. Co. v. Caremel, Inc., 2022 WL 79868 (N.D. Ill. Jan. 7, 2022); Citizens Ins. Co. of Am. v. Thermoflex Waukegan, LLC, 2022 WL 602534 (N.D. Ill. Mar. 1, 2022); Citizens Ins. Co. of Am. v. Highland Baking Co., Inc., 2022 WL 1210709 (N.D. Ill. Mar. 29, 2022); Continental Western Ins. Co. v. Tony’s Finer Foods Enters., Inc., 2023 WL 4351469 (N.D. Ill. July 5, 2023).
Neither an Illinois state court nor the Seventh Circuit has yet weighed in on the Access/Disclosure Exclusion in a way that might resolve the tension.
CGL Coverage: Violation of Laws Exclusion
No other exclusion has generated more controversy between the courts related to insurance coverage for BIPA claims. The Illinois Supreme Court, the Seventh Circuit, and an Illinois appellate court have all weighed in on this exclusion and come to differing results. The distinction primarily arises due to different exclusion language.
The Illinois Supreme Court examined an exclusion which bars coverage for any alleged violations of two specific statutes—the TCPA and CAN-SPAM—or any other statute that “prohibits or limits the sending, transmitting, communicating or distributing of material or information.” Finding that BIPA does not regulate “methods of communication” like TCPA and CAN-SPAM do, the Illinois Supreme Court found that the exclusion does not bar coverage for BIPA claims. West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc., 2021 IL 125978 (2021).
The Seventh Circuit followed the lead of the Illinois Supreme Court in deciding in favor of the insured, even where it examined a slightly different version of the exclusion. That exclusion barred coverage for any alleged violations of TCPA, CAN-SPAM, FCRA, or FACTA, as well as any other laws or statutes that “address, prohibit or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.” The Seventh Circuit found that this version of the exclusion was too expansive, effectively swallowing coverage for any personal or advertising injury, and was thus ambiguous. Accordingly, the court ruled that the exclusion did not bar coverage. Citizens Ins. Co. of America v. Wynndalco Enters., LLC, 70 F. 4th 987 (7th Cir. 2023).
Recently, an Illinois appellate court expressly disagreed. Finding both that the statutes and acts described in the exclusion bar coverage for violations of “statutes that protect personal privacy” and that the exclusion was not ambiguous, the court ruled in favor of the insurer. Thus, the court set up a distinct disagreement between state and federal courts on the issue of whether this more expansive version of the exclusion bars coverage for BIPA claims. Nat’l Fire Ins. Co. of Hartford v. Visual Pak Co. 2023 IL App (1st) 221160.
EPL Coverage:
While most of the litigation around insurance coverage for BIPA claims focuses on CGL policies, one federal court concluded that the insuring agreement of an EPL policy also covers BIPA. There, the EPL insuring agreement provided coverage for a “breach of any oral, written, or implied employment contract, including, without limitation, any obligation arising from a personnel manual, employee handbook, or policy statement” as well as “an employment-related invasion of privacy.” This particular handbook both required employees to use the fingerprint scan-time clock and required the company to “comply with all applicable laws and regulations.” The company’s failure to abide by the BIPA regulations was, therefore, a breach of the handbook, and covered under the terms of the EPL insuring agreement. Twin City Fire Ins. Co. v. Vonachen Servs., Inc., 567 F. Supp. 3d 979 (C.D. Ill. Oct. 19, 2021).
EPL Coverage: Violation of Laws Applicable to Employers Exclusion
One exclusion common in EPL policies has been litigated in the Northern District of Illinois. There, a court found that an exclusion in an employment practices liability policy—called a “Violation of Laws Applicable to Employers” exclusion—precludes coverage for BIPA allegations. That exclusion bars coverage for allegations arising out of violations of any employers’ responsibilities or duties required by federal or state statutes. There are enumerated exceptions to the exclusion, but BIPA is not among them. Church Mut. Ins. Co. v. Prairie Village Supportive Living, LLC, 2022 WL 3290686 (N.D. Ill. Aug. 11, 2022).
D&O Coverage:
In the same Twin City v. Vonachen case, which discussed EPL coverage, the parties agreed that BIPA violations fell within the insuring agreement of a D&O policy. The D&O insuring agreement permitted coverage for civil proceedings alleging an “[e]rror, misstatement, misleading statement, act, omission, neglect, or breach of duty.” The insurer there chose not to contest that the insuring agreement was triggered. Twin City Fire Ins. Co. v. Vonachen Servs., Inc., 567 F. Supp. 3d 979 (C.D. Ill. Oct. 19, 2021).
Cyber Coverages:
As of this writing, there are no published opinions where a court has considered whether BIPA violations trigger a cyber liability policy. An Illinois state court, however, applied New York law in examining a “Beazley Breach Response” policy issued by Lloyd’s of London. The policy provided coverage for data and network liability and media liability.
“Media liability” was defined as violating an individual’s right to privacy during the course of creating “media material.” The parties agreed that “media material” included fingerprint scans, and the court decided that the collection of biometric information in violation of BIPA was a violation of the employee’s right to privacy.
On the other hand, the insuring agreement for “data and network liability” coverage in the policy appeared to require some general dissemination to the general public. The court held that no publication to the public at large was alleged, and, thus concluded no coverage under the insuring agreement.