Insurance companies argue no obligation to defend clients in biometric privacy suits
Two insurance companies have told a California federal court that their coverage of software company Omnicell Inc. does not cover statutory violations, and therefore they have no obligation to defend or indemnify the company in a pending suit filed under Illinois’ Biometric Information Privacy Act (BIPA), Law360 reports.
Zurich American Insurance Co. and American Guarantee & Liability Insurance Co. have asked a court in the Northern District of California to issue a declaration absolving them of any responsibility to Omnicell in the Illinois state court suit. They cite multiple exclusion clauses in the policy, including two that identify claims stemming from “collection or distribution of material or information” or “recording and distribution of material” which is ruled illegal.
The proposed class action suit against Omnicell, as well as Northwestern Medicine Lake Forest Hospital and medical technology provider Becton Dickinson was filed by a former registered nurse, Yana Mazya, who used fingerprint authorization to access an automated medication distribution system. Mayza alleges the data is vulnerable to theft by third parties because the companies did not provide a timetable for destroying the biometric templates, and also that they failed to secure employee consent to collect and use the data. She is seeking damages of up to $5,000 per violation, plus associated court costs.
The insurers cite a 2015 decision by the Ninth Circuit, in which Zurich American was ruled to have no duty to defend a client because the client’s policy excluded statutory violations. Zurich is also seeking to recover costs it has occurred on Omnicell’s behalf, according to the report.
The future of the BIPA suit is uncertain, with an Illinois federal judge recently ruling that no sufficient injury had been established in a suit brought against United Airlines by a former employee. The “harm” criteria of BIPA is currently being weighed in several cases, and could have a major impact on the volume of suits filed under the regulation. A coalition of privacy advocacy groups filed a brief in July that procedural violations are sufficient to make an individual “aggrieved” under the statute.