Insurer not on the hook for BIPA case; Businesses say privacy cases ‘frivolous’
Businesses running afoul of Illinois’ biometrics privacy law have less backup than they might have thought.
U.S. District Judge Harry Leinenweber, in a case involving a pair of McDonald’s franchise owners and their insurer, ruled that the restauranteurs were on their own in a privacy suit brought against them.
The matter no doubt will become ammunition for business leaders who would like to see state law changed to prevent such a situation from even occurring.
Like many businesses in the state, the owners of Caremel Inc. (through which Lawrence and Judith Linman own their eateries) required their employees to scan a fingerprint to clock in and out for each shift.
The Linmans did not get consent to take and store the data, as the Illinois Biometric Information Privacy Act requires. They were sued in 2019 by an employee, and the couple turned to their insurer, American Family Insurance.
The move might have been a hail Mary pass, and it did not work. Judge Leinenweber cited multiple provisions within the policy covering Caremel that would seem to clearly protect American Family.
The insurer said an exclusionary provision left Caremel on the hook for situations involving “access or disclosure of confidential or personal information and data related to liability,” according to the Cook County (Ill.) Record. The fingerprint biometric data collected by Caremel, however, is not a trade secret, financial or health information.
Another exclusionary provision provides coverage cutouts for matters related to employment practices and liability that are state law violations, the judge ruled. The Linmans had hoped to have American Family to either defend them or pay out to cover costs.
A settlement has been reached in a BIPA lawsuit against Pret a Manger (USA) Ltd., Law360 writes (subscription required). The suit alleged the usual lack of informed consent for collecting employee biometrics in a time and attendance system. The plaintiff has asked for approval of a $677,000 settlement, saying it will appropriately compensate the 800 Illinois residents who have worked for the company.
Each member of the class will get just over $500 under the proposed agreement, with an incentive bonus for the lead plaintiff.
Two days before the decision was handed down in the McDonald’s franchisee case, the Chicago Sun-Times published a letter from representatives of the Illinois Manufactures’ Association, Illinois Retail Merchants Association and Chicagoland Chamber of Commerce.
In it, the trio say BIPA is antiquated, and suggest two “common-sense” updates.
First, they suggest, there needs to be an exemption for security roles. “Some” biometric data should not be covered in scenarios involving the nation’s secure factories making energy, food and medicine as well as nursing homes.
Notices to employees are too much of a hurdle for what they describe as small and medium-sized businesses that are producing the nation’s critical foodstuffs and medicines. Nursing homes obviously require security, but no mention of orphanages is made.
And business owners who do fail to live up to any updated state law about biometrics should get a do-over, they contend. Companies need a chance to “notice and cure” a biometric privacy issue for a period during which they could not be sued, particularly, they write, when no actual “economic” harm has been done.
Unless these and other changes are made, the trio write, businesses will suffer unnecessarily under “frivolous” lawsuits when people want to control their most personal data.
Not addressed is the potential irreparable harm that comes with the loss of control of biometric data, the only identification once compromised can never be re-secured.