Insurance Coverage Issues Facing Companies Accused of Violating Illinois’ Biometric Information Privacy Act

On an ever-increasing basis, companies are utilizing biometric information of employees and customers in the course of their everyday business practices. Theme parks and sports venues use fingerprint scans to limit access only to those who are the original purchaser of tickets. Employers are fortifying security by controlling access through employees’ fingerprints and retina scans, instead of keycards and fobs. Time clocks and punch cards are being replaced by palm readers to combat timekeeping fraud. Social media companies are using face-matching and face-filtering software to enhance user experience. The use of biometric identifiers can enhance revenue, security, or both. However, the use of this information requires companies to at least temporarily collect and store individuals’ biometric information.

Illinois has a specific statute regulating a company’s collection and use of biometric information, the Biometric Information Privacy Act (“BIPA” or “the Act”), 740 ILCS 14/1 et seq. The penalties for violating the statute are draconian. Facebook recently settled a class action alleging violation of the Act for $550 million. Total potential damages could have exceeded $35 billion. The allegation: Facebook harvested facial data through its photo-labeling service, Tag Suggestions, from the photos of users in Illinois, without their permission.

The suits keep coming. On April 30, 2020, a proposed class action was filed against TikTok, a popular video-sharing app, alleging violation of the Act. According to the complaint filed by the guardians of two Illinois minors who used the app, TikTok collected biometric information from users without written consent, in violation of BIPA.

If your company utilizes or is considering using biometric information of individuals in Illinois, take the necessary steps to ensure compliance with the Act. If your company has been sued for allegedly violating BIPA, consider whether your company has insurance coverage for the claim.

I. What is “BIPA”?

“BIPA” is shorthand for Illinois’ Biometric Information Privacy Act, 740 ILCS 14/1 et seq. BIPA, which was passed in 2008, applies to any “private entity” who collects, stores, or uses the “biometric information” of any individual in Illinois. “Biometric information” includes “biometric identifiers” such as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” 740 ILCS 14/10. A private entity such as an employer, amusement park, or social media company, may not collect or be in possession of the biometric information of any individual in Illinois, unless it first:

(1)  Develops a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual’s last interaction with the private entity, whichever occurs first;

(2)  Informs the individual in writing that biometric information is being collected and stored;

(3)  Informs the individual in writing of the specific purpose and length of term biometric information will be stored and used; and

(4)  Obtains a written release executed by the individual.

740 ILCS 14/15.

II.  Who has standing to sue and what are the penalties for violating the statute?

In short, anyone aggrieved by a violation of the Act can sue. 740 ILCS 14/20. The penalties for violating the Act are extreme. Specifically, a prevailing party may recover for each violation:

(1)  For negligent violations, $1,000 or actual damages, whichever is greater;

(2)  for intentional or reckless violations, $5,000 per violation or actual damages, whichever is greater;

(3)  reasonable attorneys’ fees and costs; and

(4)  other relief, including injunctive relief, as the court may deem appropriate.

740 ILCS 14/20.

In addition, to have standing to sue, a technical violation of the Act is sufficient. In other words, a plaintiff need not suffer actual harm to state a claim. See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (the fact that Six Flags did not improperly use or disclose biometric information of plaintiff was irrelevant – plaintiff was an “aggrieved” party under the Act because his legal right was “invaded by the act complained of”).

III.  Who is getting sued for BIPA violations?

Companies from all sectors are being sued for violating BIPA – from large companies like Facebook, Six Flags, and large chain fitness centers, to tanning salons, grocery chains, and daycare facilities. If your company is collecting biometric information on individuals in Illinois, your company is a potential target for a lawsuit. Violations of BIPA by companies tend to be systemic. Consequently, claims under the Act are typically brought as class actions, which are very expensive to defend and resolve. Currently, there are hundreds of class actions pending in Illinois alleging violations of BIPA.

IV.  What insurance coverage potentially covers a BIPA suit against your company? 

Depending on the allegations and causes of action contained in the BIPA complaint, there are numerous lines of insurance that may provide coverage. These include, at a minimum, the following: commercial general liability insurance (CGL), employment practices liability insurance (EPL), directors & officers insurance (D & O), errors and omissions insurance (E & O), and cyber & privacy insurance.

Insurance policies are not uniform. The terms, conditions, and exclusions can vary from one policyholder to another. Likewise, the allegations and causes of action contained in a complaint alleging a BIPA violation will vary. Whether your company might have coverage for a claim requires a detailed analysis of the complaint filed against your company and the insurance policies your company purchased.

Compared to many established areas of insurance coverage law, coverage for BIPA claims is the Wild West. There is hardly any Illinois case law involving the issue of whether a particular line of insurance coverage potentially provides coverage for a BIPA claim.

Here, I focus on two lines of insurance – EPL and CGL. In the most general sense, CGL policies provide coverage for third-party claims and EPL policies provide coverage for employee-related claims.

a.  Potential coverage for employee-related claims under EPL insurance.

Hypothetical: To combat timekeeping fraud (e.g., employee A signs in employee B, who oftentimes arrives late to work), your company replaces punch cards with a fingerprint scanner. Your company is not aware of the BIPA requirements, fails to inform its employees in writing that biometric information is being collected and stored, fails to receive written consent from its employees, and does not have a written policy establishing a retention schedule and guidelines for permanently destroying the biometric identifiers. An employee files a class action lawsuit against your company for negligently violating BIPA. Will your company’s EPL insurer defend your company against the claim?

EPL insurance generally provides defense and indemnity coverage to employers against claims made by employees for a “Wrongful Act” or “Wrongful Employment Practice.” Definitions of these terms oftentimes include “failure or refusal to create or enforce adequate workplace or employment policies and procedures…” and an “invasion of privacy” claim by an employee.

A complaint alleging violation of BIPA falls squarely within these definitions because the Act requires an employer who collects biometric information to have written compliance procedures and obtain a written release from the subject in advance of collection after informing them of the reason for collection and the compliance procedures. In addition, complaints alleging BIPA violations typically include invasion of privacy allegations, thereby potentially triggering the EPL policy.

Perhaps the biggest hurdle to coverage is the fact EPL policies typically contain exclusions for employee claims alleging a violation of the law. But all hope is not lost. EPL exclusions are not uniform and the violation of law exclusion may not be broad enough to encompass BIPA. In fact, many types of EPL policy forms specifically list the types of laws that fall under the violation of law exclusion – e.g., ERISA, Worker Adjustment and Retraining Notification Act (WARN), Occupational Safety and Health Act (OSHA), Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA), National Labor Relations Act (NLRA).

The hypothetical claim falls within the insuring agreement of most EPL policies. Whether the EPL policy actually provides coverage likely largely depends on the exclusions, including the violation of law exclusions, which vary from policy-to-policy.

b.  Potential coverage for third-party claims under CGL insurance.

Hypothetical: Your company operates multiple gyms throughout Illinois and offers a type of membership allowing customers to patronize any gym in the system. Utilizing membership cards can erode profits because they can be passed to non-members for use. To combat this practice, your company requires new members to have their fingerprints scanned for the purpose of verifying their identity when they enter any of your gyms. Your company has a software subscription with a third-party vendor that processes the fingerprint scanning, requiring your company to share images of your members’ fingerprint scans with the vendor. However, your company did not obtain written releases from its new members allowing the company to disclose the biometric information to the third-party vendor. One of your members files a class action lawsuit against your company for negligently violating BIPA. Will your company’s CGL insurer defend your company against the claim?

CGL insurance generally provides defense and indemnity coverage to companies for third-party claims alleging: (1) “bodily injury;” (2) “property damage;” and (3) “personal and advertising injury.” A typical BIPA claim will not involve bodily injury or property damage. However, it may involve “personal and advertising injury,” which usually includes: “Oral or written publication, in any manner, of material that violates a person’s right of privacy.”

A complaint alleging violation of BIPA arguably falls within the definition of “personal or advertising injury.” Providing biometric information to the third-party vendor probably constitutes a “written publication … of material that violates a person’s right of privacy.” The biggest hurdle to coverage is likely the fact many CGL policies contain an exclusion barring coverage for the recording and distribution of material or information in violation of the law, including: (1) the Telephone Consumer Protection Act; (2) the CAN-SPAM Act of 2003; or (3) any other statute that addresses, prohibits, or limits the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.

The Illinois First District Appellate Court’s recent decision in West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834, addressed a scenario very similar to the hypothetical. It involved a tanning salon that utilized fingerprint scans to allow its customers to patronize any tanning salon in the nationwide system. However, the tanning salon allegedly shared the fingerprint scans with a third-party vendor, without the customers’ permission.

The appellate court determined that the BIPA class action fell within the policy’s coverage for “personal injury” as a “publication which violates a person’s right to privacy” and found that the policy’s violation of statute exclusion did not apply to the BIPA violation allegations.

West Bend argued that the act of Krishna sharing the fingerprint data to a third party did not constitute publication within the meaning of the policy, because the information was not shared to the public at large, but rather, only shared to a single third party. The Appellate Court determined that “publication” encompassed both the sharing of information to the public at large and the sharing of information to a single third party.

The Appellate Court then addressed whether Krishna’s alleged violation of BIPA was excluded under the policy’s violation of statutes exclusion. West Bend argued that BIPA is a statute that would fall within the catch-all provision as a statute that regulates the sending of material or information. According to the Appellate Court, as written, the exclusion was only intended to apply to statutes that regulate methods of communication and, if West Bend wanted the statute to be interpreted more broadly, West Bend could have written the statute in a way to express that interpretation. Because BIPA does not regulate methods of communication, but instead, regulates “the collection, use, safeguarding, handling, storage, retention and destruction of biometric identifiers and information,” the Appellate Court held the statutory exclusion did not apply. As such, West Bend had a duty to defend.

The outcome may have been different in Krishna, if the CGL policy had a different violation of statute exclusion or if the policy excluded coverage for privacy violations. However, if your company is facing a BIPA lawsuit alleging disclosure to a third-party, Krishna offers hope that your company’s claim may be covered.

The use of biometric information by companies is likely to increase. If your company’s operations implicate BIPA, ensure your company is in compliance. If your company is sued for allegedly violating BIPA, analyze all lines of your company’s insurance coverage to determine if the claim is covered.

This article is for general informational purposes and it not intended to be, and should not be taken as, legal advice.

For additional information, please contact Jake Mihm at (312) 575-8590 or jmihm@hokellc.com.