Attorneys explain insurance coverage for biometric privacy lawsuits
With the recent barrage of Biometric Information Privacy Act-related lawsuits brought to Illinois courts, several top privacy attorneys discussed what areas defendants should seek insurance coverage for the potentially high-stakes claims, according to a report by Law 360.
Though specialized cyberinsurance may make the most sense for companies to cover litigation costs, legal experts say they should also seek coverage in general liability and other more traditional policies.
Illinois’ BIPA, which was passed in 2008, requires employers using biometric information to obtain written consent from employees as well as prohibits them from selling it and requires them to explicitly state how long it is retained for.
The privacy law imposes a penalty of $1,000 for each negligent violation and $5,000 for each willful or reckless violation.
First, companies that manage biometric data should obtain a specialty cyberinsurance policy, attorneys say. These policies typically cover cybersecurity-related acts and omissions, including the failure to protect private information and violations of privacy-related statutes.
“Acts and omissions that would constitute violations of the [Biometric Information Privacy] Act would clearly trigger coverage under many cyber liability policies,” said Roberta Anderson, a partner in Cohen & Grigsby PC’s data security and insurance recovery practice groups.
Given the wide range of cyber policy forms, it is imperative for policyholders to ensure that a given policy’s definition of the phrase “confidential information” is far-reaching enough to include biometric data, which covers fingerprints as well as identifying markers collected from retina and iris scans, voice analysis and “facial geometry” scans.
For publishers, social media operators and other media firms, attorneys recommend also investing in a form of specialized errors and omissions insurance known as media liability coverage.
The coverage can be purchased as a standalone policy and as an add-on to business owners, professional liability and other policies.
Media liability insurance covers specified categories of wrongful acts by the policyholder, including defamation and invasion of privacy.
Attorneys say that if the policy’s privacy section is written broadly enough, it could cover claims brought under BIPA and similar statutes.
According to attorneys, companies hit with BIPA claims may also be eligible for coverage under their standard commercial general liability policies depending on what year the policy was issued.
Approximately five years ago, many insurers began to add exclusionary language drafted by the Insurance Services Office to their CGL policies in an effort to broadly preclude coverage for any data breach or other cyber-related exposures.
Some of the ISO exclusions eliminate a CGL policy’s coverage for personal and advertising injuries regarding privacy violations, some omit coverage for bodily injuries linked to cyber incidents, and some remove both.
“CGL policies have historically covered allegations the policyholder violated a third party’s right to privacy,” Anderson Kill PC shareholder Joshua Gold, said. “However, many CGL policies now include one of five ISO exclusions for cyber-related activities. Policyholders will have to closely review these exclusions to see whether they would be invoked for certain types of allegations.”
However, those companies that are accused of violating BIPA over a period of several years may potentially be able to gain coverage under an earlier-issued CGL policy without a cyber exclusion, according to attorneys.
Under those earlier CGL policies, BIPA claims would likely be considered within the coverage grant for third-party invasion-of-privacy claims, according to attorneys.
The lawyers also say that the policy’s bodily injury coverage may be triggered if the plaintiffs allege they experienced emotional distress due to a company’s collection of their biometric data.
Those actions relate to the defendants’ supposed unlawful corporate practices, and therefore, may implicate employment practices liability insurance, attorneys say.
Employment Practices Liability (EPL) policies aim to cover certain wrongful acts stemming from the employer-employee relationship, including wrongful termination and discrimination.
Some of these policies specifically cover claims regarding an employer’s infringement of its employees’ privacy.
In several of the employee class action suits brought under BIPA, the plaintiffs allege the defendant company breached employees’ privacy and jeopardized their personal information by unlawfully collecting biometric data.
Anderson said this coverage could be triggered if an EPL policy’s definition of wrongful acts is broad enough to include such alleged privacy breaches.
In August, a Chicago attorney recommended companies to be conscious of the litigation threat stemming from an increasing number of state laws protecting biometric privacy.