By Peter Halprin and Tae Andrews, Pasich LLP
Recent litigation has upped the ante for companies facing lawsuits filed under Illinois’ Biometric Information Privacy Act (BIPA). Under BIPA, a company can be assessed damages of $1,000 to $5,000 per violation for the improper collection, use, or disclosure of biometric data.
In a case currently before the Illinois Supreme Court, Cothron vs. White Castle, the Court must decide how to calculate the number of violations for a given incident under the BIPA. If the Court determines that every fingerprint scan, for example, is a violation, the potential damages under BIPA could become astronomical.
Fortunately, companies are not without recourse as insurance may be available to protect against the financial impact of BIPA lawsuits. In particular, several recent decisions have come out in favor of insurance coverage for companies seeking to defend against BIPA lawsuits under General Liability (GL) policies.
In the historic case of Krishna Schaumburgthe Illinois Supreme Court ruled that GL policies’ coverage for “personal and public injury” (which covers claims brought by third parties against the insured alleging “the oral or written publication, in any manner whatsoever , material that violates a person’s right to privacy”) applies to BIPA claims and requires the insurer to provide a defense against them.
Following the Krishna decision, insurers sought to avoid coverage based on certain exclusions from GL policies: the exclusion of employment-related practices, the exclusion of distribution of material in violation of laws, and the exclusion of access or disclosure of confidential or personal information. Although these exclusions are not worded consistently across policies, and therefore there is some nuance for the courts, the majority of courts analyzing these exclusions have rejected their application to BIPA claims.
The exclusion of employment-related practices may, for example, seek to exclude coverage of “employment-related practices, policies, acts or omissions, such as coercion, demotion, appraisal, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution”. directed against that person. » Insurers often raise this exclusion as a coverage defense because many BIPA claims are brought by employees alleging that their employer violated BIPA by requiring them to use their fingerprints to enter and exit their shifts. However, several recent decisions rejected this argument, holding that the exclusion only applies to “unemployment-unfriendly actions,” such as refusing to hire, firing, or targeted abuse of a specific employee.
Insurers have also tried to avoid providing a defense by claiming that the exclusion of distribution of material in violation of the laws prohibits coverage for BIPA claims. This exclusion may, for example, seek to exclude coverage for violations of the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act of 2003, the Fair Credit Reporting Act (FCRA), of the Fair and Accurate Credit Transaction Act (FACTA) or “any other laws, statutes, ordinances or regulations which address, prohibit or restrict the printing, dissemination, disposal, collection, recording, sending , transmission, communication or distribution of material or information. Several recent decisions have also ruled that this exclusion does not remove coverage for BIPA claims. In arriving at their decisions, these courts analyzed whether BIPA was similar to the other examples of excluded laws listed and determined that either BIPA was different from the other laws or the exclusion was unclear. Specifically, some of the laws listed (such as TCPA and CAN-SPAM) regulate “methods of communication” or “privacy as isolation” – protection against unauthorized or unwanted communications that citizens receive. In contrast, some of the other laws (such as the FCRA and FACTA) regulate “privacy as a secret” – private information that citizens reveal. Because these courts considered it unclear whether BIPA was similar to the other listed excluded laws, these courts found the exclusion to be ambiguous and declined to apply it to bar coverage for the claims of the BIPA.
Finally, insurers have also attempted to avoid paying BIPA claims by invoking exclusion from access or disclosure of confidential or personal information. This exclusion may, for example, be intended to exclude coverage for “any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, lists of customers, financial information, credit card information, health information, or any other type of non-public information.To analyze whether the exclusion applied, a court rejecting the exclusion compared biometric data to the other examples of “confidential or personal information” excluded and felt that it was “unclear at best” whether biometric information such as fingerprints was similar, as the BIPA specifically states that “biometrics is different from other unique identifiers used to access finances or other sensitive information.
Taken together, these decisions are an encouraging sign for policyholders seeking defense coverage for BIPA lawsuits. Although insurers have gone to great lengths to try to avoid paying these claims, the courts have largely rejected their arguments and ruled that insurers have a duty to defend their policyholders against BIPA’s claims. These decisions have become even more important because BIPA presents a dangerous source of potential exposure, according to how the Illinois Supreme Court rules in cothron on the calculation of damages under the law. Additionally, while BIPA remains the primary law regarding the collection, use, and disclosure of biometric data, more states have begun enacting similar laws, presenting new sources of potential liability for businesses. that use biometrics. As the regulatory landscape becomes increasingly threatening, establishing insurance coverage for claims related to biometric data has never been more important. Don’t take your insurer’s word for it.
About the authors
Peter A. Halprin is a partner in the New York office of Pasich LLP. Peter represents commercial policyholders in complex insurance coverage matters with a focus on recovery strategies in relation to cyber breaches and cybercrime, COVID-19 and natural disasters, professional services, regulatory investigations and class actions, and technology disputes. He can be reached at [email protected] or (646) 974-6470.
Tae Andrews is a senior managing partner in the New York office. Tae has recovered hundreds of millions of dollars for corporate policyholders in coverage disputes with their insurance companies. He can be reached at [email protected] or (646) 517-5051.
DISCLAIMER: Biometric Update industry overviews are submitted content. The opinions expressed in this article are those of the author and do not necessarily reflect the opinions of Biometric Update.
biometric data | biometric identifiers | biometrics | BIPA | data privacy | insurance | trial | legislation | Pasich srl