Insurance company responsible for biometric data privacy lawsuit defense and damages

Companies found to have violated Illinois’ Biometric Information Privacy Act may be eligible for insurance coverage of the damages, after an insurer has been found responsible for defending and covering damages against a client by the 1st District Appellate Court, according to the Chicago Daily Law Bulletin.

West Bend Mutual Insurance Co. sought a declaratory judgement that it was not obligated to defend or indemnify the salon defendent in Sekura v. Krishna Schaumburg Tan, which was partially granted and partially denied by a Cook County Associate Judge in May, 2018. Both parties agreed the insurer’s duty to defend the salon depended on the definition of “publication” in the coverage policy.

Justice Mary L. Mikva, joined by a pair of other justices, upheld the previous ruling, and found in favor of the salon that publication does not necessarily mean to the public, as West Bend had argued, but could also include sharing of information with a third party. If West Bend’s definition of publication was judged the right one, the BIPA violation would fall under an exclusion in the coverage policy.

“In short, the violation of statutes exclusion applies to bar coverage to violations of statutes that regulate methods of communication,” Mikva wrote. “The [Biometric Information Privacy] Act says nothing about methods of communication. It instead regulates ‘the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.’”

Clarification on the obligations of insurance companies under BIPA has been sought for years, and more will likely be provided when the District Court for Northern Illinois rules on a case involving McDonald’s franchisees, in which the exclusion refers specifically to “sending, transmitting, communicating, or distribution of material or information.”

The dispute itself was ruled reasonable, so West Bend is not liable for Krishna’s attorneys fees and costs.

Barnes & Thornburg LLP partner Scott Godes tells Law360 that the West Bend case is significant because a non-cyber insurance policy has been found to apply to a data privacy law.

Indiana bans implants

A new law has been adopted in Indiana making it illegal for businesses to require their employees to have devices such as microchips or RFID tags implanted into their bodies, Bloomberg Law reports.

The new bill was recently signed into law, and takes effect July 1.

No employer is known to be requiring implants at this time.

Arkansas, California, Missouri, Montana, Nevada, New Hampshire, North Dakota, Oklahoma, Utah, and Wisconsin already have similar laws on the books.

Shutterfly defends email to plaintiffs

Shutterfly has filed a response to allegations by putative class members that it improperly tried to arbitrate the dispute with a mass email, arguing that that it did not attempt to misinform users or bind them to arbitration, Law360 writes in a separate article.

The company updated its existing arbitration clause in the email, and plaintiffs claimed that it told them unless their accounts were closed within a month, they would have to arbitrate all claims against the company on an individual basis. Shutterfly also says a cased considered analogous by the plaintiffs, in which arbitration agreements were considered “coercive and misleading,” is too different to compare, in part because Shutterfly merely updated an existing arbitration clause, rather than creating a new one.

Users also could not prove that they would be able to win certification as a class, the defendants’ attorneys argue.

While BIPA suits and damages continue to mount, a pending request by Albertson’s, owner of grocery chain Jewel-Osco, to have the State Supreme Court rule on whether treating government and financial services organizations differently than others makes the Act prohibited by the state constitution.

The argument was defeated in Cook County Court in January, but the company filed a motion for interlocutory appeal in February. If it is ultimately successful, the suit would likely impact all suits against HIPAA-covered healthcare organizations, at least.

Article Topics

biometric data  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  data protection  |  data sharing  |  lawsuit  |  privacy