Insurance coverage for Illinois BIPA ruling

By Peter Halprin and Tae Andrews, Pasich LLP

Recent litigation has raised the stakes for companies facing lawsuits brought under Illinois’ Biometric Information Privacy Act (BIPA). Under BIPA, a company may be assessed damages of $1,000 to $5,000 per violation for the improper collection, use, or disclosure of biometric data.

In a case currently before the Illinois Supreme Court, Cothron v. White Castle, the Court is set to decide how to calculate the number of violations for a given incident under BIPA.  If the Court determines that each fingerprint scan, for example, is a violation, potential damages under BIPA could become astronomical.

Fortunately, companies are not without recourse as insurance may be available to protect against the financial impact of BIPA lawsuits.  In particular, several recent decisions have held in favor of insurance coverage for businesses seeking a defense against BIPA lawsuits under General Liability (GL) policies.

In the landmark case of Krishna Schaumburg, the Illinois Supreme Court held that GL policies’ coverage for “personal and advertising injury” (which covers claims brought by third parties against the policyholder alleging “oral or written publication, in any manner, of material that violates a person’s right of privacy”) applies to BIPA claims and requires the insurer to provide a defense against them.

Following the Krishna decision, insurers have sought to avoid coverage based on certain exclusions in GL policies: the Employment-Related Practices Exclusion, the Distribution of Material in Violation of Statutes Exclusion, and the Access or Disclosure of Confidential or Personal Information Exclusion.  While these exclusions are not uniformly worded across all policies, and so there is some nuance for courts to address, the majority of courts analyzing these exclusions have rejected their application to BIPA claims.

The Employment-Related Practices Exclusion can, for example, seek to exclude coverage for “employment-related practices, policies, acts or omissions, such as coercion, demotion, evaluation, reassignment, discipline, defamation, harassment, humiliation, discrimination or malicious prosecution directed at that person.”  Insurers often raise this exclusion as a coverage defense because many BIPA claims are brought by employees alleging that their employer violated BIPA by requiring them to use their fingerprints to clock into and out of their shifts.  However, several recent decisions have rejected this argument, holding that the exclusion only applies to “adverse employment actions,” such as refusing to hire, firing, or targeted mistreating of a specific employee.

Insurers have also tried to avoid providing a defense by claiming that the Distribution of Material in Violation of Statutes Exclusion bars coverage for BIPA claims.  This exclusion can, for example, seek to exclude coverage for violations of the Telephone Consumer Protection Act (TCPA), CAN-SPAM Act of 2003, Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transaction Act (FACTA), or “any other laws, statutes, ordinances, or regulations that address, prohibit, or limit the printing, dissemination, disposal, collecting, recording, sending, transmitting, communicating or distribution of material or information.”  Multiple recent decisions have also held that this exclusion does not remove coverage for BIPA claims.  In arriving at their decisions, these courts analyzed whether BIPA was similar to the other listed examples of excluded statutes and determined that either BIPA was unlike the other statutes, or the exclusion was unclear.  Specifically, some of the listed statutes (such as TCPA and CAN-SPAM) regulate “methods of communication,” or “privacy as seclusion” – freedom from unauthorized or unwanted communications that citizens receive.  In contrast, some of the other statutes (such as FCRA and FACTA) regulate “privacy as secrecy” – private information that citizens give away.  Because these courts viewed it as unclear whether BIPA is similar to the other enumerated excluded statutes, these courts held that the exclusion is ambiguous and refused to apply it to bar coverage for BIPA claims.

Finally, insurers have also tried to avoid paying for BIPA claims by citing the Access or Disclosure of Confidential or Personal Information Exclusion.  This exclusion can, for example, seek to exclude coverage for “any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information.”  To analyze whether the exclusion applied, a court rejecting the exclusion has compared biometric data to the other examples of excluded “confidential or personal information” and held that it was “at best unclear” whether biometric information such as fingerprints was similar, because BIPA specifically states that “biometrics are unlike other unique identifiers that are used to access finances or other sensitive information.”

Taken together, these rulings are an encouraging sign for policyholders seeking defense coverage for BIPA lawsuits.  Although the insurers have pulled out all the stops to try and avoid paying for these claims, courts have largely rejected their arguments and ruled that the insurers have a duty to defend their policyholders against BIPA claims.  These rulings have become even more important because BIPA presents a dangerous source of potential exposure, depending on how the Illinois Supreme Court rules in Cothron on the calculation of damages under the statute.  Moreover, while BIPA remains the foremost statute regarding the collection, use, and disclosure of biometric data, more and more states have begun to enact similar laws, presenting new sources of potential liability for companies that use biometrics.  As the regulatory landscape becomes increasingly threatening, having insurance coverage in place for biometric-data claims has never been more important. Just don’t take your insurer’s word for it.

About the authors

Peter A. Halprin is a partner in Pasich LLP’s New York office.  Peter represents commercial policyholders in complex insurance coverage matters with a focus on recovery strategies in relation to cyber breaches and cybercrime, COVID-19 and natural disasters, professional services, regulatory investigations and class actions, and technology disputes. He can be reached at PHalprin@PasichLLP.com or (646) 974-6470.

Tae Andrews is a senior managing associate in the New York office. Tae has recovered hundreds of millions of dollars for corporate policyholders in coverage disputes with their insurance companies. He can be reached at TAndrews@PasichLLP.com or (646) 517-5051.

DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.

Article Topics

biometric data  |  biometric identifiers  |  Biometric Information Privacy Act (BIPA)  |  biometrics  |  data privacy  |  insurance  |  lawsuits  |  legislation