Identifying insurance coverage for alleged violations of the Illinois Biometric Information Privacy Act can be tricky – but it’s increasingly necessary.
In 2008, Illinois passed one of the first biometric privacy laws in the United States. The Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., did more than usher in a new wave of biometric information privacy protections. It has also ushered in a wave of class action lawsuits, with plaintiffs seeking to recover damages pursuant to BIPA’s hefty statutory penalties. Companies that collect, store, use, or disseminate biometric identifiers or information in Illinois should take stock of their insurance coverage and be aware of potential pitfalls and pressure points in their policies.
Requirements and Rationale of BIPA
The use of biometric technology in day-to-day operations is on the rise. Whether it’s a fingerprint scan to clock in and out of work or a retinal scan to confirm access to a restricted area, companies in virtually every industry are using and storing individuals’ biometric information. Consequently, more and more companies will face potential exposure under BIPA and similar legislation in other states, including New York, California, Texas and Washington. BIPA defines “biometric information” as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” Biometric identifier “means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” BIPA imposes a number of requirements on private entities possessing biometric identifiers or biometric information, including:
• Inform individuals in writing of the specific purpose and length of time for which biometric identifiers or information are being collected, stored and used.
• Provide a publicly available retention schedule and guidelines for permanently destroying individuals’ biometric identifiers or information.
• Obtain a written release from individuals to collect, store, disseminate or otherwise use their biometric identifiers or information.
In enacting BIPA, the Illinois legislature recognized that: (1) Biometrics are unique and, when compromised, place individuals at an increased risk of identity theft; (2) biometric technology is new, and “[t]he full ramifications of biometric technology are not fully known”; (3) the public is wary of using biometrics in connection with personal information; and (4) regulating the collection, use, and storage of biometric identifiers and information serves the public interest. 740 ILCS 14/5(c)-(g). The Illinois legislature passed BIPA to codify that any private entity in possession of biometric information cannot “disclose, redisclose, or otherwise disseminate a person’s ... biometric identifier or biometric information” unless the person consents to the disclosure or redisclosure. 740 ILCS 14/15(d).
The Rapid Rise of BIPA Class Actions Following Rosenbach
BIPA imposes penalties of up to $5,000 per violation. Unlike most of the biometric privacy acts in effect today, BIPA creates a private right of action for any person “aggrieved” by a BIPA violation. Any person “aggrieved” by a violation of BIPA may recover for each violation: (1) $1,000 “against a private entity that negligently violates BIPA”; or (2) $5,000 “against a private entity that intentionally or recklessly violates [BIPA].” 740 ILCS 14/20. In its much-discussed decision in Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court held that any person alleging a failure to comply with any aspect of BIPA – even in the absence of injury or harm resulting from the violation – is an “aggrieved person” under BIPA. “The violation, in itself, is sufficient to support the individual’s or customer’s statutory cause of action.” The Illinois Supreme Court’s decision that any person alleging a violation of BIPA qualifies as an “aggrieved person” with a private right of action was met with a spate of putative class action filings. More than 150 putative BIPA class actions have been filed since Rosenbach, which was only decided in January 2019. The relative ease of asserting a BIPA claim since Rosenbach, and the prospect of headline-grabbing settlements (like Facebook’s reported $550 million settlement), suggest that BIPA class action claims will continue to proliferate.
Insurance Coverage Considerations for BIPA Claims
Companies facing BIPA claims should consider a range of options for insurance coverage of defense costs, settlements, judgments and verdicts. BIPA claims allege a negligent or intentional invasion of privacy, often by an employer, involving sensitive personal information and systems utilizing that sensitive information. The nature of BIPA liability makes three types of policies natural contenders for coverage: commercial general liability (CGL) policies, employment practices liability (EPL) policies, and cyberinsurance policies.
In most cases, a CGL policy is the first place to look for coverage of a class action. The broad duty to defend under a CGL policy requires insurance companies to provide a full and complete defense if any allegation in the complaint that conceivably could be covered. Many CGL policies promise to pay “all sums” that the policyholder is legally obligated to pay because of “personal and advertising injury,” which is often defined to include “publication of material that violates a person’s right of privacy.” In the case of West Bend Mut. Ins. Co. v. Krishna Schaumburg, an Illinois appellate court held that this “publication” clause encompassed a BIPA plaintiff’s allegation that fingerprint data was improperly provided to a third party and ruled that the insurance company had a duty to defend its policyholder.
Though West Bend is good news for policyholders, they still should expect insurance companies to raise a number of challenges to coverage under CGL policies. Insurance companies have brought declaratory judgment actions citing exclusions for “Access or Disclosure of Confidential or Personal Information and Data-Related Liability,” “knowing” violation of rights, and “Recording and Distribution of Material” in violation of the law. These exclusions must be carefully analyzed in order to determine their impact on coverage.
EPL insurance policies also are a valuable source of protection for companies facing BIPA liability based on biometric data practices in the workplace. EPL insurance provides coverage to employers for claims made by employees regarding defined sets of wrongful acts. Many BIPA claims are brought by employees alleging that their biometric identifiers and information improperly were collected, used or stored by the employer without the employees’ written consent. Because this is not the typical fact pattern that EPL insurance companies expect to encounter, and EPL policies are less standardized than CGL policies, policyholders can expect some resistance to their BIPA-related claims, such as arguments regarding whether plaintiffs meet the EPL policy’s definitions of “employee” or “independent contractor.” Many EPL policies include “invasion of privacy” in the policy’s definition of “wrongful act,” which ought to give policyholders a strong argument for coverage of potential BIPA liabilities.
Cyberinsurance also may be an avenue for coverage of BIPA claims, depending on the specific terms of the policy. While biometric data should fall squarely within a cyber policy’s definition of confidential information or data, cyberinsurance policies are not yet standardized and need to be scrutinized carefully. The scope of coverage under a cyber policy may depend on several policy provisions, but policyholders with potential BIPA liabilities should be especially wary of exclusions for claims “alleging, based upon, arising out of or attributable to the unlawful collection” of confidential information.
Third parties also may have a duty to provide insurance for any losses arising from a BIPA claim. Some policyholders hire third-party data companies to maintain their biometric scanning systems. Under the terms of the contract between the policyholder and the third-party data company, policyholders with exposure to BIPA claims may have the benefit of being an additional insured on the data company’s insurance policies. Policyholders should request and maintain complete copies of the policies on which they are listed as an additional insured, and confirm that there is adequate insurance for potential future BIPA claims.
Whether a company already is facing BIPA claims, or may face such claims in the future because it collects, uses or stores biometric information, it is critical to understand the possible insurance types that may respond and provide valuable coverage. Companies should work with their brokers and experienced insurance recovery counsel to ensure the best protection from this expanding universe of potentially damaging claims.