As the use of biometric information for verification purposes becomes more widespread, employers and others should be aware of the laws that regulate the collection, storage and dissemination of this data. In this regard, there have been several lawsuits involving the use or storage of biometric information that have resulted in multi-million dollar settlements.
The California Consumer Privacy Act (Civil Code Sections 1978.100 et seq.) defines biometric information as follows:
“Biometric informationmeans the physiological, biological or behavioral characteristics of an individual, including an individual’s deoxyribonucleic acid (DNA), which may be used, alone or in combination with each other or with other data from identification, to establish individual identity. Biometric information includes, but is not limited to, iris, retina, fingerprint, face, hand, palm, vein pattern and voice recording images, from which a identifier pattern, such as a faceprint, minutiae pattern, or voiceprint, can be extracted, as well as tapping patterns or rhythms, walking patterns or rhythms, and sleep data, health or exercise containing identifying information. Cal. Civil Code § 1798.140(b).
While a number of states, including California, have laws that regulate the use or storage of biometric information, only two jurisdictions allow a private right of action. These are the Illinois Biometric Information Privacy Act (commonly referred to as “BIPA”) and New York City Code of Administration Section 22-1201-1205. Most disputes over biometric information have arisen out of alleged violations of BIPA.
In this regard, civil suits seeking the recovery of damages and attorneys’ fees, alleging that the defendant used, collected and stored the biometric data of its employees without informed consent. Additional allegation that the employer failed to inform its employees of the specific purpose and duration for which their identifiers or biometric information would be collected, stored and used. See, for example, twin town Fire. Co. v. Vonachen Services, Inc., 2021 WL 4876943 (CD Ill. 19 October 2021).
Companies that have been sued for alleged misuse of biometrics should consider taking the claim to their liability insurance carriers. For example, there may be coverage under CGL Policy’s “personal and publicity damages” coverage, as a typical offense is “the oral or written publication of material that violates a person’s right to privacy. “. See, for example, West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan Inc., 2021 IL 125978.183 NE 3d 47(2021). In Krishna, the court found that the “publication” requirement was met when the biometric information was shared with only one party (one of the defendant’s outside vendors) and not disseminated to a wide audience.
Another source of coverage could be D&O policies. In this regard, D&O policies usually contain an “invasion of privacy” exclusion. See, for example, Horn c. Liberty Ins. Underwriters, Inc., 391F.
Sup. 3d 1157 (SD Fla. 2019), confirmed, 998 F. 3d 1289 (11and Cir. 2021). In the absence of such an exclusion, however, private company D&O policies that provide coverage to entities could provide coverage for such claims.
In twin town, the defendant company argued that the underlying complaints merely allege “procedural violations of BIPA” that did not constitute an invasion of privacy. He also asserted that the underlying actions do not allege breaches of disclosure, disclosure or misuse, but only alleged breaches of process where plaintiff employees “did not face a risk substantial harm to their privacy interests”.
The district court disagreed, noting that Illinois courts had found that BIPA codifies individuals’ right to privacy in their biometric identifiers and information. See West Bend Mutual Insurance Company v. Krishna Schaumburg Tan, Inc., 2021 IL 125978, (Illinois 2021); Rosenbach vs. Six Flags Ent. Corp. 129 NE 3d 1197, 1206 (Ill.2019) (stating that individuals have the right to privacy and control over their biometric identifiers and biometric information). In summary, the Court rejected the company’s argument that BIPA is only violated if biometric information is surreptitiously collected or disseminated to third parties. For this reason, the Court determined that there was no coverage for the underlying claims under the A&D portion of the policy.
EPL policies could also come into play. Thus, the court of twin town determined that there was coverage under Part EPL. In this regard, a “wrongful act of employment practices” has been defined to include the “breach of any oral, written or implied contract of employment, including, without limitation, any obligation under a staff, employee handbook or policy statement. “According to the court, this wording implies that a staff handbook, employee handbook or policy statement can give rise to a contractual obligation.
Employer Vonachen successfully argued that its employee handbook required employees to use the designated point system or face penalties for non-compliance, including dismissal. He also pointed out that the manual stated that Vonachen “will comply with all applicable laws and regulations.” Based on these provisions, Vonachen’s argument for coverage was that because the manual required her to use the timing system, and because Vonachen had bound herself to the manual to comply with all laws associated with this system, including BIPA, twin town the duty to defend was triggered based on the alleged BIPA violations alleged in the underlying complaint.
Cyberpolices can also be a source of cover for biometric claims. Indeed, such information may be included among the types of data protected in the liability section of cyberpolicies. In this regard, a cyber policy could provide the broadest possible protection against biometric data privacy claims arising from regulatory actions and civil lawsuits where the underlying law grants a private right of action or privacy claims of employees.
Finally, there are three key exclusions policyholders should keep in mind. They are:
- Access or disclosure exclusion, which prohibits coverage of access or disclosure of confidential information or data.
- The ERP Exclusion, which relates to employment-related practices and prohibits coverage for claims arising from employment-related practices.
- Violation of the statutory exclusion, which prohibits coverage arising from the distribution of material in violation of the law.
Although there is little case law on these exclusions, some conclusions can be drawn.
Excluding access or disclosure does not preclude prosecution coverage under BIPA A Mr. Family Mut. Ins. Co. v. Caramel, Inc., 2022 US Dist. 3475 (ND Ill. 2022). Compare: Massachusetts Bay Ins. Co. v. Impact Fulfillment Servs., LLC, 2021 US Dist. LEXIS 182970 (MDNC 2021) (Recording and distribution of material or information is excluded from coverage for lawsuits under BIPA).
The ERP exclusion does not prevent coverage of the BIPA share. A Mr. Family Mut. Ins. Co. vs. Carnagio Ent., 2022 US Dist. LEXIS 58358 (ND Ill. 2022); Auto Mut. Ins. Co. vs. Tony’s Finer Foods between., 2022 US Dist. LEXIS 40567 (ND Ill. 2022)
But in the absence of a decision from the Illinois Supreme Court regarding the applicability of this exclusion, there is a division of authority. See A Mr. Family Mut. Ins. Co. v. Caremel, Inc., sat the top. (determining that the exclusion of the ERP precluded BIPA’s claim arising from the plaintiff’s employment activities).
Violation of the statue exclusion does not preclude BIPA lawsuit coverage. AM Family Mut. Ins. Co. v. Caremel, Inc., sat the top ; West Bend Mut. Ins. Co. v. Krishna Schaumburg Tan, Inc.., above ; Citizens Ins. Co. and AM Family Mut. Ins. Co. v. Wynndalco Ent., LLC, 2022 US Dist. LEXIS 57654 (NDIll 2022) (because this exclusion is “inextricably ambiguous”, it did not override the insurer’s duty of defence).