The Illinois Biometric Information Privacy Act (BIPA) has been on the books for more than a decade. However, as a result of a January 2019 decision by the Illinois Supreme Court, the statute’s requirements and potential liabilities have become a much more serious concern. Moreover, a number of states have passed or are considering legislation similar to or designed to address the same concerns as the Illinois BIPA. This kind of privacy legislation represents a significant potential corporate liability exposure. As discussed further below, biometric data privacy-related claims present some complicated insurance coverage issues.
Background Regarding BIPA
The Illinois state legislature enacted BIPA in 2008 to regulate the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.” Biometric Identifier is defined to mean “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Among other things BIPA requires companies to develop and follow written guidelines regarding the retention and destruction of biometric identifiers. The Act also requires companies to provide written disclosures and obtain a release before acquiring biometric information.
Persons “aggrieved by a violation” of BIPA have a private right of act under the statute and may sue to seek statutory remedies, including the greater or actual or liquidated damages of $1,000 for liquidated damages (for negligent violations) or $5,000 (for intentional reckless violations).
The plaintiffs’ class action bar has long been attracted to BIPA liability actions. The plaintiff class in these cases has consisted either of employees of companies that use biometric information (for example, by using fingerprints for time clock purposes) or customers of companies that use biometric information as part of customer engagement.
It is important to note that BIPA’s requirements are not limited just to Illinois companies. For example, on August 8, 2019, the Ninth Circuit affirmed a district court’s ruling that a BIPA liability class action lawsuit filed by three Illinois residents against Facebook may proceed. The Ninth Circuit’s opinion can be found here.
The Illinois Supreme Court’s Recent Decision in the Rosenbach Case
One question that has arisen in connection with BIPA class action litigation is whether or not a plaintiff must allege an “actual injury” cause by the alleged BIPA violation in order to recover damages. The Illinois Supreme Court addressed this issue in its January 25, 2019 decision in the Rosenbach v. Six Flags Entertainment Corporation case. (A copy of the Supreme Court’s opinion can be found here.)
The Illinois intermediate appellate court had held that “actual injury” is required in order to assert a BIPA claims for damages. However, the Illinois Supreme Court reversed the intermediate appellate court and held that a plaintiff may be “aggrieved” under BIPA and have standing to sue for statutory damages, even without alleging an “actual injury” caused by the BIPA violation.
A detailed January 29, 2019 memo from the Gibson Dunn law firm about the Illinois Supreme Court ruling can be found here.
The Impact of the Rosenbach Decision
At the time of the Rosenbach decision, observers feared that the Illinois Supreme Court’s ruling “opens the floodgates” (as one commentator noted, here). As it has turned out, it does seem to be the case that the decision has significantly encouraged plaintiffs’ lawyers to file BIPA class action lawsuits.
In a June 2019 study on the Workplace Class Action Blog (here), which called the BIPA class action litigation the “hottest class action trend” in Illinois, showed that BIPA class litigation had “increased at an exponential and rapid pace” following the Illinois Supreme Court’s decision. Thus, the study found that while there had only been a total of 79 BIPA class actions filed in all of 2018, as of the half-way point in 2019, there had already been 161 BIPA securities class action lawsuits filed in 2019 (151 of which had been filed since the Illinois Supreme Court’s January 25, 2019 decision in the Rosenbach case).
To put these figures in perspective, in the entire period from the BIPA’s enactment in 2008 through the date of the Supreme Court’s decision, there had been a total of 173 BIPA class action lawsuits filed. Between January 25, 2019 and the date of the law firm’s study, there had already been 151 lawsuits filed.
Other States Are Adopting or Considering Biometric Privacy Legislation
As detailed in a September 2019 memo from the Thompson Hine law firm (here), Illinois is not the only state with legislation protecting biometric data. Both Texas and Washington state have long had legislation on the books protection biometric data privacy. In recent years, a number of other states have enacted legislation protecting biometric data privacy, including Arkansas, California, and New York. In addition, a number of other states are considering legislation to protect biometric data privacy, including Alaska, Delaware, Florida, Arizona, Hawaii, Oregon, Massachusetts, New Hampshire, New Jersey and Rhode Island. While Illinois may be in the vanguard on the biometric data privacy issues, other states are set to join the bandwagon. Clearly, biometric data privacy is and will remain a hot button privacy issue.
Insurance Coverage Questions Regarding BIPA Claims
As companies have been hit with these kinds of lawsuits, they have struggled with their insurers to establish insurance coverage for the claims. As discussed here, early efforts to establish coverage under CGL insurance policies foundered on the question of whether or not the plaintiff’s claim alleged “bodily injury” or “property damage.”
Policyholders faced with these kinds of claims have also sought insurance protection under other coverages, including their Employment Practices Liability insurance policies and their Cyber liability policies.
As a theoretical matter, the privacy liability protections in a Cyber insurance policy would seem to be a natural place to look for protection for these kinds of claims. The claimants’ alleged violation would seem to involve a privacy event, and the biometric data involved would seem to represent “confidential information.” However, there is no standard cyber insurance policy wording. The extent of coverage available for these kinds of claims could depend on a number of policy terms and conditions, including, for example, the collection of protected confidential information must be disclosed or divulged to third parties in order for the coverage to be triggered.
In addition, some Cyber Insurance policies contain potentially coverage preclusive exclusions. For example, some policies contain exclusions precluding coverage for claims “alleging, based upon, arising out of or attributable to the unlawful collection” of data or failure to disclose that such information is being collected. In some instances, cyber insurers are disputing coverage where the allegation is that the biometric data was collected without consent.
EPL insurance is another potential source of coverage for these kinds of claims. A threshold issue for policyholders seeking coverage for these kinds of claims is whether the biometric data collection violation constitutes an “employment practices wrongful act” as required in order for coverage to be triggered. The definition of covered “wrongful acts” in EPL Insurance policy varies, but many policies contain provisions expressly including the “invasion of privacy” within the definition of wrongful act.
Another potential area in which BIPA claim defendants might seek insurance coverage is under their D&O insurance policies. Whether or not the D&O insurance could be triggered by these kinds of claims will depend of course on what specifically is alleged and on the specific wording of the applicable D&O insurance policy. One potential coverage stumbling block for private company insureds seeking D&O insurance for a BIPA claim is that the Bodily Injury/Property Damage (BI/PD) exclusion found in many private company D&O insurance policies expressly excludes coverage for claims alleging “invasion of privacy.” Public company D&O insurance policies generally would not provide coverage for BIPA claims against the company itself, as public company D&O insurance policies provide entity coverage only for claims alleging violations of the securities laws.
In an earlier post, I raised the question of whether privacy liability issues represent the next big D&O liability exposure. I continue to believe that privacy issues significant area of potential D&O liability exposure. But beyond just D&O-related exposures, privacy issues represent a significant area of growing corporate liability generally. As the massive increase in Illinois BIPA class action litigation shows, the potential privacy liability risks may come from a number of different directions. And as noted above, the potential liability exposure for alleged biometric privacy violations likely will not be limited just to claims under the Illinois laws.
Policyholders understandably want and even expect insurance coverage protection for these kinds of claims. In order to try to address these kinds of expectations, it is going to be important for policyholders and their advisors to take these kinds of actions into account in the policy placement process. An important predicate of placing policies likelier to respond to these kinds of claims is a basic awareness that these kinds of claims exist and that they represent a growing threat – that is in fact the fundamental purpose of this blog post, to raise awareness of these kinds of claims.
The liability insurance carriers are well aware of these developments. My general impression is that the insurers are moving very quickly to try to contain their potential exposure to these kinds of claims. By way of illustration, I just happened to note on my Internet feed earlier this week a declaratory judgment action filed on November 18, 2019 in the Northern District of Illinois by Church Mutual Insurance Company, in which the insurance company seeks a judicial declaration that none of the insuring provisions in the insurance policy it issued to a senior center provide insurance for the BIPA class action lawsuit that had been filed against the senior center. As the BIPA litigation mounts, there likely will be further efforts by insurers to avoid coverage for these claims.
In addition to active efforts to contest coverage in the context of specific claims, I expect that we may see efforts by at least some carriers to try to affirmatively exclude coverage for these kinds of claims. By way of analogy, we did see TCPA-related claims exclusions emerge in the recent past when Telephone Consumer Protection Act class action lawsuits flared up at the time. We could well see BIPA or other kinds of biometric data collection and protection exclusions emerge.
In the meantime, it is important for companies and their insurance advisors to be aware that these biometric data-related liability issues are developing. The growth of scrutiny and of liability claims related to biometric data is only one way that privacy issues are now and will continue to be important areas of emerging corporate liability risk exposure. I continue to believe that privacy issues will be at the forefront of emerging liability issues in the months and years ahead.
Special thanks to the several industry professionals who called my attention to the BIPA litigation in discussions during the recent PLUS Conference.